Decode_CEF preprocessor fails when MAC address is without separators

[LaZyDK]

Describe the enhancement:
Decode_CEF preprocessor needs to support MAC addresses without separating characters.

beats/x-pack/filebeat/processors/decode_cef/cef/types.go

Line 93 in 877d8bc

func toMACAddress(v string) (string, error) {

Describe a specific use case for the enhancement or feature:
While sending syslog in CEF format from Aruba ClearPass we get errors.

Log from Aruba ClearPass:
<143>Jul 26 2021 15:09:34 192.168.203.220 CEF:0|Aruba Networks|ClearPass|6.8.7.120583|2001|Failed Authentications|5|cat=Session Logs dvc=192.168.203.220 duser=0011223359e4 destinationServiceName=TEST_PROD MAC-AUTH Wired dpriv=TEST-VL1, [User Authenticated] cs2=Local:localhost cs2Label=Auth Source requestMethod=MAC-AUTH cs4=UNKNOWN cs4Label=System Posture Token outcome=[Update Endpoint Known], TEST-MerakiAP-VL1, MAC-AUTH-port-mode dmac=0011223359e4 src=192.168.1.78 cn1=0 cn1Label=Error Code rt=Jul 26 2021 15:08:37

Error message:
error in field 'dmac': address 0011223359e4: invalid MAC address

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

The parser is expecting a separator because the documention we used to implement it specified it for dmac. I tend to think Aruba should fix their formatter, but we should make our parser handle this case too.

Six colon-seperated hexadecimal numbers. Example: “00:0D:60:AF:1B:61”

Reference: https://ia801002.us.archive.org/11/items/commoneventformatv25/CommonEventFormatV25.pdf

[LaZyDK]

I agree that Aruba should stick to the CEF format, but even though they might fix this in the future we have no way of supporting their older software versions.
Having the parser doing this operation will be the best solution to support all needs.

[andrewkroh]

PR: #27109