Hi,
I just noticed that the Splunk Add-on for Cisco ESA (tested with 1.2.2) improperly extracts the Message-ID header. Consider the following example:
Message-ID:
This gets extracted as message_id = somethingsomething123123@example.com
However, as per the RFC the correct format includes the angle brackets, so including the brackets would be correct and is in line with the extractions for other Splunk apps that deal with Email (CIM compliant). I'm reporting this because this creates issues with correlation between multiple data sources.
Corrections:
props.conf:
EXTRACT-messageid = Message-ID \'(?.*?)\'
transforms.conf:
[message_id_for_cisco_esa]
REGEX = Message-ID\s*'([^']*)'
FORMAT = message_id::$1
Documenting in case Splunk wants to get this fixed or if someone else has this issue.
↧