cscli parsers install crowdsecurity/dateparse-enrichParses timestamp strings in logs to be used in forensic mode. The parser supports the following formats, or the one provided in StrTimeFormat :
02/Jan/2006:15:04:05 -0700Mon Jan 2 15:04:05 200602-Jan-2006 15:04:05 europe/paris01/02/2006 15:04:052006-01-02 15:04:05.999999999 -0700 MSTJan 2 15:04:05Mon Jan 02 15:04:05.000000 20062006-01-02T15:04:05Z07:002006/01/022006/01/02 15:042006-01-022006-01-02 15:04The StrTime item of the event is parsed by default. See crowdsecurity/syslog-logs as an example of a parser setting this field for crowdsecurity/dateparse-enrich.
If a date layout is present in the StrTimeFormat field of the event, it will take precedence over the list above. The date layout must be (valid in the golang's time.Parse layout format), allowing parsers to specify the date format for later parsing :
filter: ...
...
statics:
- target: evt.StrTimeFormat
value: "2006 2 15.04.05 Jan"
...This allows crowdsecurity/dateparse-enrich to parse dates in this format for this log type.
1filter: "evt.StrTime != ''"2name: crowdsecurity/dateparse-enrich3#debug: true4#it's a hack lol5statics:6 - method: ParseDate7 expression: evt.StrTime8 - target: MarshaledTime9 expression: evt.Enriched.MarshaledTime10 - meta: timestamp11 expression: evt.Enriched.MarshaledTime