field offset wrong at src_user and source_name in transforms.conf #301
Description
Describe the bug
In default/transforms.conf, there was a time when src_user was repalced by source_name in the transforms.conf but that does not match the format of the logs. This causes all fields after src_ip to be mislabeled (an offset +1 according to the log spec and examples from the field.
Expected behavior
We expect timeout_threshold to appear in the timeout_threshold field and action_flags to appear in the action_flags field, etc
Current behavior
action_flags appears in the device_group_level1 field, sequence_number appears in the action_flags field.
Given PANOS 11 and at least as far back as panos9 : https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields
Format: FUTURE_USER, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Source IP, User, Data Source Name, Event ID, Repeat Count, Time Out Threshold, Source Port, Destination Port, Data Source, Data Source Type, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID, Factor Type, Factor Completion Time, Factor Number, User Group Flags, User by Source, Tag Name, High Resolution Timestamp, Origin Data Source, FUTURE_USE, Cluster Name
src_user and source_name are two distinct fields, where src_user comes first and source_name comes second.
Possible solution
Add src_user before source_name in the fields list in transformst.conf
[extract_userid]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","vsys","src_ip","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"
should be:
[extract_userid]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","vsys","src_ip","src_user","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"
Steps to reproduce
If you just look at the source_name, action_flags or any field following src_ip then it should be clear that the positional fields are off by 1.
Context
This bug corrupts data models and breaks CIM