Convert Log Date

Tags:

#1 Jan Henk.Veldman 7 years ago

Hello,

I'm trying to convert a date in NXlog from 06/15/16 to 2016-06-15 because NXlog is not able to parse the date (DEBUG couldn't parse date: 06/14/16).

I created a regular expression ($Date =~ s/(\d+)\/(\d+)\/(\d+)/20$3-$2-$1/;) in my module to convert the date. See the module below

Exec if $raw_event =~ /^[0-9][0-9],/                       \
       {                                                       \
           ParseDHCP->parse_csv();                              \
           if $raw_event =~ /^00/ $IDdef = "The log was started.";   \
           if $raw_event =~ /^01/ $IDdef = "The log was stopped.";   \
           if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space.";   \
           if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client.";   \
           if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client.";   \
           if $raw_event =~ /^12/ $IDdef = "A lease was released by a client.";   \
           if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network.";   \
           if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted.";   \
           if $raw_event =~ /^15/ $IDdef = "A lease was denied.";   \
           if $raw_event =~ /^16/ $IDdef = "A lease was deleted.";   \
           if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted.";   \
           if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted.";   \
           if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client.";   \
           if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client.";   \
           if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.";   \
           if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use.";   \
           if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began.";   \
           if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics.";   \
           if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server.";   \
           if $raw_event =~ /^31/ $IDdef = "DNS update failed.";   \
           if $raw_event =~ /^32/ $IDdef = "DNS update successful.";   \
           if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy.";   \
           if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded.";   \
           if $raw_event =~ /^35/ $IDdef = "DNS update request failed.";   \
           if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match.";   \
           if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information.";   \
           if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine";   \
           if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine";   \
           if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet";   \
           if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation";   \
           if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.";   \
           $host           =   hostname_fqdn();               \
           $Date =~ s/(\d+)\/(\d+)\/(\d+)/20$3-$2-$1/; \
           $EventTime        =    parsedate($Date + " " + $Time);   \
           $SourceName    =    "DHCPEvents";                   \
$Message        =    to_json();                       \
       }                                                       \
       else                                                   \
drop();

However it returns 2016-06-15 17:37:29 INFO EventTime: 20$3-$2-$1

Permalink

#2 adm Nxlog ✓ 7 years ago

#1 Jan Henk.Veldman

Hello, I'm trying to convert a date in NXlog from 06/15/16 to 2016-06-15 because NXlog is not able to parse the date (DEBUG couldn't parse date: 06/14/16). I created a regular expression ($Date =~ s/(\d+)\/(\d+)\/(\d+)/20$3-$2-$1/;) in my module to convert the date. See the module below Exec if $raw_event =~ /^[0-9][0-9],/ \ { \ ParseDHCP->parse_csv(); \ if $raw_event =~ /^00/ $IDdef = "The log was started."; \ if $raw_event =~ /^01/ $IDdef = "The log was stopped."; \ if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space."; \ if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client."; \ if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client."; \ if $raw_event =~ /^12/ $IDdef = "A lease was released by a client."; \ if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network."; \ if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted."; \ if $raw_event =~ /^15/ $IDdef = "A lease was denied."; \ if $raw_event =~ /^16/ $IDdef = "A lease was deleted."; \ if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted."; \ if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted."; \ if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client."; \ if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client."; \ if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."; \ if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use."; \ if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began."; \ if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics."; \ if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server."; \ if $raw_event =~ /^31/ $IDdef = "DNS update failed."; \ if $raw_event =~ /^32/ $IDdef = "DNS update successful."; \ if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy."; \ if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded."; \ if $raw_event =~ /^35/ $IDdef = "DNS update request failed."; \ if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match."; \ if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information."; \ if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine"; \ if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine"; \ if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet"; \ if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation"; \ if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond."; \ $host = hostname_fqdn(); \ $Date =~ s/(\d+)\/(\d+)\/(\d+)/20$3-$2-$1/; \ $EventTime = parsedate($Date + " " + $Time); \ $SourceName = "DHCPEvents"; \ $Message = to_json(); \ } \ else \ drop(); However it returns 2016-06-15 17:37:29 INFO EventTime: 20$3-$2-$1

It's not possible to use captured value references inside the regexp substitution so you'll need something like this:

if $Date =~ /(\d+)\/(\d+)\/(\d+)/ { $Date = '20' + $3 + '-' + $2 + '-' + $1; };

There is also strptime().