Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: You caught them (RR TZ issue)

From: JP Vossen <vossenjp () netaxs com>
Date: Fri, 4 Apr 2003 19:16:30 -0500 (EST)
On Thu, 3 Apr 2003 snort-users-request () lists sourceforge net wrote:


Message: 3
Date: Fri, 4 Apr 2003 10:54:24 +1200
From: Jason Haar <Jason.Haar () trimble co nz>
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] You caught them, what next?
Organization: Trimble Navigation New Zealand Ltd.

On Thu, Apr 03, 2003 at 01:02:15PM -0600, bmcdowell () coxhealthplans com wrote:

[...]  I believe he said they wanted
that information in the logs themselves.  Presumably, so the


I'm sorry if I'm missing the blindingly obvious here - but why don't you
just EDIT your logs to include the timezone before you send it to them?



I've been wondering when someone would mention this, and I kept not doing it
myself to avoid 37 similar messages as everyone sent the same message...  Oh
well.

But how about a simple Perl script to do the same?  Heck, you could probably
do it with awk pretty easily too.  Both of those run on Windows or UNIX, so...
Here is a one line Perl (command line) program for UNIX (one-liners on Windows
are hard because of quoting issues):
cat mylog | perl -npe 's/^(\w+\s+\d{1,2} \d{2}:\d{2}:\d{2})/$1 EST /'

Try tailing /var/log/messages into the above Perl to see what it looks like,
then use the "real" log and redirect the output to a new log file name and
you're set.  If you need help to write the Perl code send me a note offline
and I'll give you a hand.  I can also post other code to the list if anyone
else cares.

To CONVERT a time stamp is not trivial, but to just add TZ code is.  Did they
say what format (e.g. EST, EST5EDT, or UTC-0500)?

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."



-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: