[Bro] [bro] bro_json-logs
Azoff, Justin S
jazoff at illinois.edu
Fri Nov 20 08:34:33 PST 2015
> On Nov 20, 2015, at 11:19 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> Thank you Daniel and Derek, it appears that changing the bro ts to TS_MILLIS and using a logstash date match UNIX_MS filter has fixed the strange date issue.
> This leads me to believe there is some issue how bro interprets prints ISO8601 timestamps. But for now this work around will suffice.
> Thanks again
That's really odd because it is not interpreting them. The timestamp is already in seconds, it just passes it on to strftime:
time_t t = time_t(val->val.double_val);
if ( strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M:%S", gmtime(&t)) > 0 )
the TS_MILLIS setting just outputs val->val.double_val * 1000 as-is
- Justin Azoff
More information about the Bro