cscli parsers install crowdsecurity/dateparse-enrich
Parses timestamp strings in logs to be used in forensic mode. The parser supports the following formats, or the one provided in StrTimeFormat
:
02/Jan/2006:15:04:05 -0700
Mon Jan 2 15:04:05 2006
02-Jan-2006 15:04:05 europe/paris
01/02/2006 15:04:05
2006-01-02 15:04:05.999999999 -0700 MST
Jan 2 15:04:05
Mon Jan 02 15:04:05.000000 2006
2006-01-02T15:04:05Z07:00
2006/01/02
2006/01/02 15:04
2006-01-02
2006-01-02 15:04
The StrTime
item of the event is parsed by default. See crowdsecurity/syslog-logs as an example of a parser setting this field for crowdsecurity/dateparse-enrich
.
If a date layout is present in the StrTimeFormat
field of the event, it will take precedence over the list above. The date layout must be (valid in the golang's time.Parse
layout format), allowing parsers to specify the date format for later parsing :
filter: ...
...
statics:
- target: evt.StrTimeFormat
value: "2006 2 15.04.05 Jan"
...
This allows crowdsecurity/dateparse-enrich
to parse dates in this format for this log type.
1filter: "evt.StrTime != ''"2name: crowdsecurity/dateparse-enrich3#debug: true4#it's a hack lol5statics:6 - method: ParseDate7 expression: evt.StrTime8 - target: MarshaledTime9 expression: evt.Enriched.MarshaledTime10 - meta: timestamp11 expression: evt.Enriched.MarshaledTime