[otap-df-otap] Add support for CEF messages with Syslog headers (open-telemetry#1264)

Address open-telemetry#1073

## Changes
- Add support for parsing CEF messages with Syslog header
- Note that we still support parsing raw CEF messages


### Examples:

#### Raw CEF
```CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232```

#### CEF with Syslog header (This is a partial header with RFC 3164, example is from the [spec](https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.3/cef-implementation-standard/Content/CEF/Chapter%201%20What%20is%20CEF.htm))
```Sep 29 08:26:10 host CEF:1|Security|threatmanager|1.0|100|worm
successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232```

Author: utpilla

rust/otap-dataflow/crates/otap/src/syslog_cef_receiver/arrow_records_encoder.rs

@@ -1426,7 +1426,7 @@ mod tests {
                     Some(&AttributeValue::String("1.0".to_string()))
                 );
                 assert_eq!(
-                    log1_attrs.get("cef.signature_id"),
+                    log1_attrs.get("cef.device_event_class_id"),
                     Some(&AttributeValue::String("100".to_string()))
                 );
                 assert_eq!(
@@ -1483,7 +1483,7 @@ mod tests {
                     Some(&AttributeValue::String("2.4.1".to_string()))
                 );
                 assert_eq!(
-                    log2_attrs.get("cef.signature_id"),
+                    log2_attrs.get("cef.device_event_class_id"),
                     Some(&AttributeValue::String("400".to_string()))
                 );
                 assert_eq!(
@@ -1526,7 +1526,7 @@ mod tests {
                     Some(&AttributeValue::String("1.2.3".to_string()))
                 );
                 assert_eq!(
-                    log3_attrs.get("cef.signature_id"),
+                    log3_attrs.get("cef.device_event_class_id"),
                     Some(&AttributeValue::String("SignatureID".to_string()))
                 );
                 assert_eq!(
@@ -2001,7 +2001,7 @@ mod tests {
                     Some(&AttributeValue::String("1.0".to_string()))
                 );
                 assert_eq!(
-                    log3_attrs.get("cef.signature_id"),
+                    log3_attrs.get("cef.device_event_class_id"),
                     Some(&AttributeValue::String("100".to_string()))
                 );
                 assert_eq!(
@@ -2643,7 +2643,10 @@ mod tests {
             log1_attrs.get("cef.device_version"),
             Some(&"1.0".to_string())
         );
-        assert_eq!(log1_attrs.get("cef.signature_id"), Some(&"100".to_string()));
+        assert_eq!(
+            log1_attrs.get("cef.device_event_class_id"),
+            Some(&"100".to_string())
+        );
         assert_eq!(
             log1_attrs.get("cef.name"),
             Some(&"worm successfully stopped".to_string())
@@ -2711,7 +2714,10 @@ mod tests {
             log2_attrs.get("cef.device_version"),
             Some(&"2.4.1".to_string())
         );
-        assert_eq!(log2_attrs.get("cef.signature_id"), Some(&"400".to_string()));
+        assert_eq!(
+            log2_attrs.get("cef.device_event_class_id"),
+            Some(&"400".to_string())
+        );
         assert_eq!(
             log2_attrs.get("cef.name"),
             Some(&"Successful Login".to_string())
@@ -2772,7 +2778,7 @@ mod tests {
             Some(&"1.2.3".to_string())
         );
         assert_eq!(
-            log3_attrs.get("cef.signature_id"),
+            log3_attrs.get("cef.device_event_class_id"),
             Some(&"SignatureID".to_string())
         );
         assert_eq!(log3_attrs.get("cef.name"), Some(&"Event Name".to_string()));
@@ -3050,7 +3056,10 @@ mod tests {
             log3_attrs.get("cef.device_version"),
             Some(&"1.0".to_string())
         );
-        assert_eq!(log3_attrs.get("cef.signature_id"), Some(&"100".to_string()));
+        assert_eq!(
+            log3_attrs.get("cef.device_event_class_id"),
+            Some(&"100".to_string())
+        );
         assert_eq!(
             log3_attrs.get("cef.name"),
             Some(&"worm successfully stopped".to_string())

rust/otap-dataflow/crates/otap/src/syslog_cef_receiver/parser/cef.rs

@@ -350,7 +350,7 @@ impl<'a> CefExtensionsIter<'a> {
 
     /// Collect all extensions into a Vec, allocating only when necessary
     #[cfg(test)]
-    fn collect_all(mut self) -> Vec<(Vec<u8>, Vec<u8>)> {
+    pub(super) fn collect_all(mut self) -> Vec<(Vec<u8>, Vec<u8>)> {
         let mut result = Vec::new();
         while let Some((key, value)) = self.next_extension() {
             result.push((key.to_vec(), value.to_vec()));

rust/otap-dataflow/crates/otap/src/syslog_cef_receiver/parser/mod.rs

@@ -40,22 +40,79 @@ pub enum ParseError {
     InvalidCef,
     /// Error parsing UTF-8 strings
     InvalidUtf8,
+    /// Error indicating that the format of the syslog message is unknown
+    UnknownFormat,
 }
 
 /// Parse a syslog message from bytes, automatically detecting the format
 pub(super) fn parse(input: &[u8]) -> Result<ParsedSyslogMessage<'_>, ParseError> {
-    // Check if it's a CEF message first
+    // Try pure CEF first - it's the simplest check
     if input.starts_with(b"CEF:") {
-        return parse_cef(input).map(ParsedSyslogMessage::Cef);
+        if let Ok(cef_msg) = parse_cef(input) {
+            return Ok(ParsedSyslogMessage::Cef(cef_msg));
+        }
+    }
+
+    // Try RFC 5424 (has version number after priority)
+    if let Ok(rfc5424_msg) = parse_rfc5424(input) {
+        // Check if the message contains CEF
+        if let Some(msg) = rfc5424_msg.message {
+            if msg.starts_with(b"CEF:") {
+                if let Ok(cef_msg) = parse_cef(msg) {
+                    return Ok(ParsedSyslogMessage::CefWithRfc5424(rfc5424_msg, cef_msg));
+                }
+            }
+        }
+        return Ok(ParsedSyslogMessage::Rfc5424(rfc5424_msg));
     }
 
-    // Try RFC 5424 first
-    if let Ok(msg) = parse_rfc5424(input) {
-        return Ok(ParsedSyslogMessage::Rfc5424(msg));
+    // Try RFC 3164
+    if let Ok(rfc3164_msg) = parse_rfc3164(input) {
+        // Check if the content contains CEF
+        if let Some(content) = rfc3164_msg.content {
+            if content.starts_with(b"CEF:") {
+                if let Ok(cef_msg) = parse_cef(content) {
+                    return Ok(ParsedSyslogMessage::CefWithRfc3164(rfc3164_msg, cef_msg));
+                }
+            }
+        }
+
+        // Special case: If tag is "CEF", the full CEF message spans from "CEF:" in the input
+        // This handles the case where RFC3164 parser splits "CEF:1|..." into tag="CEF" and content="1|..."
+        if rfc3164_msg.tag == Some(&b"CEF"[..]) && rfc3164_msg.content.is_some() {
+            // Find where "CEF:" appears in the original input after the hostname
+            if let Some(hostname) = rfc3164_msg.hostname {
+                // Find hostname position in input
+                if let Some(hostname_pos) =
+                    input.windows(hostname.len()).position(|w| w == hostname)
+                {
+                    // Look for "CEF:" after hostname position
+                    let search_start = hostname_pos + hostname.len();
+                    let after_hostname = &input[search_start..];
+
+                    // Find "CEF:" in the remaining input
+                    if let Some(cef_pos) = after_hostname.windows(4).position(|w| w == b"CEF:") {
+                        // The CEF message starts at this position and goes to the end
+                        let cef_message = &after_hostname[cef_pos..];
+
+                        if let Ok(cef_msg) = parse_cef(cef_message) {
+                            // Update the rfc3164 content to point to the full CEF message
+                            let mut modified_rfc3164 = rfc3164_msg;
+                            modified_rfc3164.content = Some(cef_message);
+                            return Ok(ParsedSyslogMessage::CefWithRfc3164(
+                                modified_rfc3164,
+                                cef_msg,
+                            ));
+                        }
+                    }
+                }
+            }
+        }
+
+        return Ok(ParsedSyslogMessage::Rfc3164(rfc3164_msg));
     }
 
-    // Fallback to RFC 3164
-    parse_rfc3164(input).map(ParsedSyslogMessage::Rfc3164)
+    Err(ParseError::UnknownFormat)
 }
 
 /// Parse priority from the beginning of a syslog message