1
answer

Hi, can anyone help me with the output of my nxlog.conf
I want to convert epoch time from my Bro logs;

Part of the logs:

1482865199.693051 FSYupp4bmRs8tT5Jyg 3 5A00020E4289E78C695848......
1482865200.300809 FmXyl22Uxsq1cudDd8 3 5A00020E4289E78C695848......
1482865200.203542 FAuSUU3X9pgdSJ2D2g 3 5A00020E4289E78C695848.......
1482865201.043722 F0KUdW3Nm5edyqPXLl 3 0CEAC9CAD430F24F334575.......

My current settings are

<Output o.name.log>
 Module om_tcp
 Host xx.xxx.xxx.xxx
 Port xxxx
 OutputType LineBased
</Output>

Thanks!

AskedJanuary 11, 2017 - 7:50am

Answer (1)

The following should do that:

Exec if $raw_event =~ /^(\S+)/ { $EventTime = parsedate($1); }
AnsweredJanuary 11, 2017 - 8:58am

Comments (3)

  • absolis's picture

    Thanks but did not work, still sending in epoch format...

    1484240476.750904 FwWqJ5eE1mXPKOxpl 3 5A00020E4289E78C695......

    <Input i.name.log>
     Module im_file
     File "adrees.log"
     InputType LineBased
    </Input>

    <Output o.name.log>
     Module om_tcp
     Host xxx.xx.xxx.xx
     Port xxxxxx
     OutputType LineBased
     Exec if $raw_event =~ /^(\S+)/ { $EventTime = parsedate($1); }
    </Output>

    <Route r.name.log>
     Path i.name.log => o.name.log
    </Route>

    did I do something wrong?

    January 12, 2017 - 6:16pm
  • b0ti's picture

    Ok, I forgot that you are not sending in JSON. This should do:

    Exec if $raw_event =~ s/^(\S+)// { $EventTime = parsedate($1); $raw_event = $EventTime + $raw_event; }

    If you need a different format you can use strftime().

    January 13, 2017 - 11:01am
  • absolis's picture

    Thank you very much, that works.
    Regards!!

    January 13, 2017 - 11:58pm