[Bro] [bro] bro_json-logs

Azoff, Justin S jazoff at illinois.edu
Fri Nov 20 08:34:33 PST 2015


> On Nov 20, 2015, at 11:19 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> 
> Thank you Daniel and Derek, it appears that changing the bro ts to TS_MILLIS and using a logstash date match UNIX_MS filter has fixed the strange date issue.  
> 
> This leads me to believe there is some issue how bro interprets prints ISO8601 timestamps.  But for now this work around will suffice.
> 
> Thanks again

That's really odd because it is not interpreting them. The timestamp is already in seconds, it just passes it on to strftime:


    time_t t = time_t(val->val.double_val);
    if ( strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M:%S", gmtime(&t)) > 0 )


the TS_MILLIS setting just outputs val->val.double_val * 1000 as-is


-- 
- Justin Azoff




More information about the Bro mailing list