From 6c3c234ca5583f420371bc706716e8ae1b0c5a61 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Wed, 5 Mar 2014 22:39:10 +0100 Subject: [PATCH] output-json: update timestamp format This patch updates the timestamp format used in eve loggin. It uses a ISO 8601 comptatible string. This allow tools parsing the output to easily detect adn/or use the timestamp. In the EVE JSON output, the value of the timestamp key has been changed to 'timestamp' (instead of 'time'). This allows tools like Splunk to detect the timestamp and use it without configuration. Logstash configuration is simple: input { file { path => [ "/usr/local/var/log/suricata/eve.json" ] codec => json type => "suricata-log" } } filter { if [type] == "suricata-log" { date { match => [ "timestamp", "ISO8601" ] } } } In splunk, auto detection of the fle format is failling and it seems you need to define a type to parse JSON in $SPLUNK_DIR/etc/system/local/props.conf: [suricata] KV_MODE = json NO_BINARY_CHECK = 1 TRUNCATE = 0 Then you can simply declare the log file in $SPLUNK_DIR/etc/system/local/inputs.conf: [monitor:///usr/local/var/log/suricata/eve.json] sourcetype = suricata In both cases the timestamp are correctly imported by the tools. --- src/output-json-alert.c | 4 ++-- src/output-json.c | 4 ++-- src/util-time.c | 14 ++++++++++++++ src/util-time.h | 1 + 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/output-json-alert.c b/src/output-json-alert.c index c81a0f26d1..e27d3d1f64 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -141,7 +141,7 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const MemBufferReset(buffer); - CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); + CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); for (i = 0; i < p->alerts.cnt; i++) { const PacketAlert *pa = &p->alerts.alerts[i]; @@ -169,7 +169,7 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const } /* time & tx */ - json_object_set_new(js, "time", json_string(timebuf)); + json_object_set_new(js, "timestamp", json_string(timebuf)); /* tuple */ //json_object_set_new(js, "srcip", json_string(srcip)); diff --git a/src/output-json.c b/src/output-json.c index 999cbef1db..7c357cebba 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -158,7 +158,7 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive, char *event_type) if (unlikely(js == NULL)) return NULL; - CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); + CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf)); srcip[0] = '\0'; dstip[0] = '\0'; @@ -204,7 +204,7 @@ json_t *CreateJSONHeader(Packet *p, int direction_sensitive, char *event_type) } /* time & tx */ - json_object_set_new(js, "time", json_string(timebuf)); + json_object_set_new(js, "timestamp", json_string(timebuf)); /* sensor id */ if (sensor_id >= 0) diff --git a/src/util-time.c b/src/util-time.c index 614afd916d..e8f6fe107d 100644 --- a/src/util-time.c +++ b/src/util-time.c @@ -35,6 +35,9 @@ static struct timeval current_time = { 0, 0 }; static SCSpinlock current_time_spinlock; static char live = TRUE; + +struct tm *SCLocalTime(time_t timep, struct tm *result); + void TimeInit(void) { SCSpinInit(¤t_time_spinlock, 0); @@ -120,6 +123,17 @@ void TimeSetIncrementTime(uint32_t tv_sec) TimeSet(&tv); } +void CreateIsoTimeString (const struct timeval *ts, char *str, size_t size) +{ + time_t time = ts->tv_sec; + struct tm local_tm; + struct tm *t = (struct tm*)SCLocalTime(time, &local_tm); + + snprintf(str, size, "%04d-%02d-%02dT%02d:%02d:%02d.%06u", + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, + t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec); +} + /* * Time Caching code */ diff --git a/src/util-time.h b/src/util-time.h index fe930ff105..cdf1d5bf7a 100644 --- a/src/util-time.h +++ b/src/util-time.h @@ -48,6 +48,7 @@ void TimeModeSetOffline (void); struct tm *SCLocalTime(time_t timep, struct tm *result); void CreateTimeString (const struct timeval *ts, char *str, size_t size); +void CreateIsoTimeString (const struct timeval *ts, char *str, size_t size); #endif /* __UTIL_TIME_H__ */