Hi, can anyone help me with the output of my nxlog.conf
I want to convert epoch time from my Bro logs;

Part of the logs:

1482865199.693051 FSYupp4bmRs8tT5Jyg 3 5A00020E4289E78C695848......
1482865200.300809 FmXyl22Uxsq1cudDd8 3 5A00020E4289E78C695848......
1482865200.203542 FAuSUU3X9pgdSJ2D2g 3 5A00020E4289E78C695848.......
1482865201.043722 F0KUdW3Nm5edyqPXLl 3 0CEAC9CAD430F24F334575.......

My current settings are

<Output o.name.log>
 Module om_tcp
 Host xx.xxx.xxx.xxx
 Port xxxx
 OutputType LineBased


AskedJanuary 11, 2017 - 7:50am

Answer (1)

The following should do that:

Exec if $raw_event =~ /^(\S+)/ { $EventTime = parsedate($1); }

Comments (3)

    Thanks but did not work, still sending in epoch format...

    1484240476.750904 FwWqJ5eE1mXPKOxpl 3 5A00020E4289E78C695......

    <Input i.name.log>
     Module im_file
     File "adrees.log"
     InputType LineBased

    <Output o.name.log>
     Module om_tcp
     Host xxx.xx.xxx.xx
     Port xxxxxx
     OutputType LineBased
     Exec if $raw_event =~ /^(\S+)/ { $EventTime = parsedate($1); }

    <Route r.name.log>
     Path i.name.log => o.name.log

    did I do something wrong?

    Ok, I forgot that you are not sending in JSON. This should do:

    Exec if $raw_event =~ s/^(\S+)// { $EventTime = parsedate($1); $raw_event = $EventTime + $raw_event; }

    If you need a different format you can use strftime().