Acknowledgements
Describe the bug
When processing CEF logs with key-value pairs that contain spaces in the values (such as error messages), the KV parser incorrectly truncates the value at the first space character. For example, when parsing msg=Connection to the primary Administration Server has been interrupted., the parser only captures "Connection" as the value instead of the complete message.
Regression Issue
Expected Behavior
The KV parser should properly handle field values that contain spaces, capturing the complete value until either:
- The next key-value pair (delimited by space)
- The end of the message
- A properly escaped delimiter
Current Behavior
When encountering a space within a field value, the parser stops reading and truncates the value at that point. Using the example log:
<67>Feb 25 14:19:59 dev-test-10-2 SyslogGen CEF:0|KasperskyLab|SecurityCenter|15.1.0.20748|KLSRV_EV_MASTER_SRV_DISCONNECTED|Connection to the primary Administration Server has been interrupted.|2|msg=Connection to the primary Administration Server has been interrupted. rt=1771952981000 cs9=Managed devices cs9Label=GroupName dhost=KSC-ISSPOL dst=127.0.0.1 cs2=1093 cs2Label=ProductName cs3=1.0.0.0 cs3Label=ProductVersion
The field msg=Connection to the primary Administration Server has been interrupted. gets parsed as:
- Current result: msg = Connection
- Expected result: msg = Connection to the primary Administration Server has been interrupted.
Reproduction Steps
- Configure a pipeline to process CEF logs using KV parsing
- Ingest a CEF log that contains field values with spaces (like error messages)
- Check the parsed fields in the processed log
- Observe that fields with spaces are truncated at the first space
Possible Solution
No response
Additional Information/Context
No response
UTMStack Version
11.2.3
Operating System and version
Ubuntu
Hypervisor and Version | Server Vendor and Model
n/a
Browser and version
n/a
Acknowledgements
Describe the bug
When processing CEF logs with key-value pairs that contain spaces in the values (such as error messages), the KV parser incorrectly truncates the value at the first space character. For example, when parsing msg=Connection to the primary Administration Server has been interrupted., the parser only captures "Connection" as the value instead of the complete message.
Regression Issue
Expected Behavior
The KV parser should properly handle field values that contain spaces, capturing the complete value until either:
Current Behavior
When encountering a space within a field value, the parser stops reading and truncates the value at that point. Using the example log:
The field msg=Connection to the primary Administration Server has been interrupted. gets parsed as:
Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
UTMStack Version
11.2.3
Operating System and version
Ubuntu
Hypervisor and Version | Server Vendor and Model
n/a
Browser and version
n/a