[nxlog-ce-users] parsedate not working on Microsoft DNS debugging log file

Sun, 14 Aug 2016 18:36:03 -0700 

Hi there

I'm trying to push DNS logs into graylog and it looks like the nxlog
parsedate function doesn't like the time format

eg

15/08/2016 10:26:18 a.m. 0CF8 PACKET  00000000044E6310 UDP Rcv 1.2.3.4
  83a8   Q [0001   D   NOERROR] AAAA
(13)2sf-apdpdx201(2)xx(11)urifblecorp(3)net(0)

So parsedate("15/08/2016 10:26:18 a.m.") doesn't return and I'm not
surprised. "15/08/2016" is 15th Aug 2016 in my locale, but I can see the
same logging on a US DNS server would be "08/15/2016", and in both cases
there's no mention of the timezone, and "a.m" is not "AM"

So I tried it the hard way using strptime, and almost got it working. Here
I'm using 'xxtimestamp' so that it doesn't show up as the 'real' timestamp
while testing

if $raw_event =~
/^([^\s]+\s+[^\s]+)\s+([^\s]+)\.\s+[^\s]+\s+PACKET\s+[^\s]+\s+[^\s]+\s+Rcv\s+([^\s]+)\s+[^\s]+\s+[^\s]+\s+[^\s]+\s+[^\s]+\s+[^\s]+\s+([A-Z]+)\s+\([0-9]+\)(.*)\(0\)$/
{  \
$origDate = $1; \
$ampm=uc($2); \
$ampm =~ s/\.//g; \
                $origDate = $origDate + " " + $ampm; \
$xxtimestamp = strptime("$origDate","%d/%m/%Y %I:%M:%S %p"); \
#if not defined($xxtimestamp) $xxtimestamp = now(); \
$xxtimestamp = strftime($xxtimestamp, "%Y-%m-%dT%H:%M:%SZ"); \
$src_ipv4 = $3; \
$dnsRecordType = $4; \
$dnsRecord = lc($5); \
$dnsRecord =~ s/\([0-9]+\)/./g; } \
else drop() ;
I end up with $origDate="15/08/2016 10:26:18 AM", but no $xxtimestamp - so
strptime doesn't like the 'ampm' meethinks?

Is there any way to do this is a locale-friendly manner? I guess I could go
do some grotty math like "if $ampm=~/^p then add 12 to $hour" and skip that
'ampm' variable, but I'm still not sure how to take the timezone into
account (without hard-wiring it which I don't want to as I'd like one
config for several DNS servers in different countries)

Any ideas? Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

Reply via email to