You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Greetings ! Per your suggestion in the google group I have created this feature request.
Specifically in order to facilitate proper processing of timestamps when either ingesting logs that were delayed in transit (timestamp in MESSAGE field is skewed from syslog header timestamp) or just ingesting old logs it would be nice to be able to use the timestamp from the log MESSAGE if found or if an option is present in the rule and the temporal field is found in lognorm output.
Additionally i just reviewed the most recent liblognorm changelog and found they have added some options that could be useful for this:
---SNIP
added support for creating unix timestamps supported by parsers: date-rfc3164, date-rfc5424.
----SNIP
I know it should be possible to do this in syslog-ng or rsyslog prior to placing the message on the sagan fifo but I think it would still be nice.
Thanks!
The text was updated successfully, but these errors were encountered:
CyberTaoFlow
changed the title
Feature request - use temporal values if found in lognorm fields. dx cvvvvvvv
Feature request - use temporal values if found in lognorm fields.
Dec 8, 2017
Greetings ! Per your suggestion in the google group I have created this feature request.
Specifically in order to facilitate proper processing of timestamps when either ingesting logs that were delayed in transit (timestamp in MESSAGE field is skewed from syslog header timestamp) or just ingesting old logs it would be nice to be able to use the timestamp from the log MESSAGE if found or if an option is present in the rule and the temporal field is found in lognorm output.
Additionally i just reviewed the most recent liblognorm changelog and found they have added some options that could be useful for this:
---SNIP
added support for creating unix timestamps supported by parsers: date-rfc3164, date-rfc5424.
----SNIP
I know it should be possible to do this in syslog-ng or rsyslog prior to placing the message on the sagan fifo but I think it would still be nice.
Thanks!
The text was updated successfully, but these errors were encountered: