Bug #1441
closedLocal timestamps in json events
Description
Suricata outputs local timestamps in json events (https://github.com/inliniac/suricata/blob/e78e33a428865e1317d190a299976ed0253db26e/src/output-json.c#L198) but omits the timezone and this is not a good idea IMHO.
Suricata should output either timestamps without timezone in UTC time or local timestamps including the timezone.
Updated by Alessandro Guido over 9 years ago
I should add that using UTC timestamps without timezone is a sub-optimal solution because such knowledge has to be propagated to log collectors. To really make each event self-contained, the timestamp should include the timezone.
Updated by Alexander Gozman over 9 years ago
Alessandro Guido wrote:
I should add that using UTC timestamps without timezone is a sub-optimal solution because such knowledge has to be propagated to log collectors. To really make each event self-contained, the timestamp should include the timezone.
You mean something like '2000-01-01T00:00:00.000000+01:00' or '2000-01-01T00:00:00.0000000Z'?
I think this could be done relatively easily, especially when libc provides tm_gmtoff in struct tm.
Updated by Alessandro Guido over 9 years ago
'2000-01-01T00:00:00.000000+01:00' would be perfect
Updated by Alexander Gozman over 9 years ago
Alessandro Guido wrote:
'2000-01-01T00:00:00.000000+01:00' would be perfect
Ok, here goes the first attempt: https://github.com/inliniac/suricata/pull/1436
Hope it'll be accepted :)
Updated by Alexander Gozman over 9 years ago
- Status changed from New to Resolved
- Target version set to 3.0RC1
- % Done changed from 0 to 100
Updated by Victor Julien over 9 years ago
- Status changed from Resolved to Closed
- Target version changed from 3.0RC1 to 2.1beta4