[Snort-users] Re: You caught them (RR TZ issue)

JP Vossen vossenjp at ...8683...
Fri Apr 4 16:17:04 EST 2003


On Thu, 3 Apr 2003 snort-users-request at lists.sourceforge.net wrote:

> Message: 3
> Date: Fri, 4 Apr 2003 10:54:24 +1200
> From: Jason Haar <Jason.Haar at ...294...>
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] You caught them, what next?
> Organization: Trimble Navigation New Zealand Ltd.
>
> On Thu, Apr 03, 2003 at 01:02:15PM -0600, bmcdowell at ...7861... wrote:
> > [...]  I believe he said they wanted
> > that information in the logs themselves.  Presumably, so the
>
> I'm sorry if I'm missing the blindingly obvious here - but why don't you
> just EDIT your logs to include the timezone before you send it to them?


I've been wondering when someone would mention this, and I kept not doing it
myself to avoid 37 similar messages as everyone sent the same message...  Oh
well.

But how about a simple Perl script to do the same?  Heck, you could probably
do it with awk pretty easily too.  Both of those run on Windows or UNIX, so...
Here is a one line Perl (command line) program for UNIX (one-liners on Windows
are hard because of quoting issues):
cat mylog | perl -npe 's/^(\w+\s+\d{1,2} \d{2}:\d{2}:\d{2})/$1 EST /'

Try tailing /var/log/messages into the above Perl to see what it looks like,
then use the "real" log and redirect the output to a new log file name and
you're set.  If you need help to write the Perl code send me a note offline
and I'll give you a hand.  I can also post other code to the list if anyone
else cares.

To CONVERT a time stamp is not trivial, but to just add TZ code is.  Did they
say what format (e.g. EST, EST5EDT, or UTC-0500)?

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





More information about the Snort-users mailing list