How to write TSV logs with ISO timestamps

tonyspark · October 17, 2022, 8:45pm

What is the best way to convert the ts field of all log types into ISO format when written out using Ascii/TSV? Similar to -d for zeek-cut. I am not using json format so cannot use JSON::TS_ISO8601, but would like to do the equivalent for TSV.

I have looked through the topics here and have not been able to find an answer. Looking at the documentation it seems like Log::log_stream_policy hook could be used for this, but am having difficulty finding an example of this.

Any ideas or past solutions? Why was this never implemented along with the json functionality for date format?

awelzel · October 25, 2022, 10:10am

Hey @tonyspark

Any ideas or past solutions? Why was this never implemented along with the json functionality for date format?

Nothing that comes immediately to mind, but others might know more. Suspect post-processing/rotation with zeek-cut -d would be one option. It might also just be a missing feature to align with the JSON writer that no one has yet requested/needed (?).

Would you be up opening a feature request on the Github zeek/zeek project?

awelzel · November 3, 2022, 1:22pm

Opened a discussion here: Configurable TSV timestamp format · Discussion #2536 · zeek/zeek · GitHub

Topic		Replies	Views
zeek ts conversion Zeek	3	163	May 6, 2022
Bro logs from JSON to TSV Zeek	7	388	May 6, 2022
Working with tsv and json log files at the same time Zeek	4	383	May 6, 2022
Set Zeek logs to json format Zeek training	2	467	December 15, 2022
Timestamps in logs files without any msec Zeek	2	74	May 6, 2022

How to write TSV logs with ISO timestamps

Related topics