field offset wrong at src_user and source_name in transforms.conf

[lumpymilk]

Describe the bug

In default/transforms.conf, there was a time when src_user was repalced by source_name in the transforms.conf but that does not match the format of the logs. This causes all fields after src_ip to be mislabeled (an offset +1 according to the log spec and examples from the field.

Expected behavior

We expect timeout_threshold to appear in the timeout_threshold field and action_flags to appear in the action_flags field, etc

Current behavior

action_flags appears in the device_group_level1 field, sequence_number appears in the action_flags field.

Given PANOS 11 and at least as far back as panos9 : https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields
Format: FUTURE_USER, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Source IP, User, Data Source Name, Event ID, Repeat Count, Time Out Threshold, Source Port, Destination Port, Data Source, Data Source Type, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID, Factor Type, Factor Completion Time, Factor Number, User Group Flags, User by Source, Tag Name, High Resolution Timestamp, Origin Data Source, FUTURE_USE, Cluster Name

src_user and source_name are two distinct fields, where src_user comes first and source_name comes second.

Possible solution

Add src_user before source_name in the fields list in transformst.conf
[extract_userid]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","vsys","src_ip","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"

should be:

[extract_userid]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","vsys","src_ip","src_user","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"

Steps to reproduce

If you just look at the source_name, action_flags or any field following src_ip then it should be clear that the positional fields are off by 1.

Context

This bug corrupts data models and breaks CIM

Your Environment

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[paulmnguyen]

This fix is part of PR #294