diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1c5ae2ac160..a2c6bb601f2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -481,6 +481,7 @@ field. You can revert this change by configuring tags for the module and omittin - Add support for v1 consumer API in Cloud Foundry input, use it by default. {pull}19125[19125] - Add new mode to multiline reader to aggregate constant number of lines {pull}18352[18352] - Explicitly set ECS version in all Filebeat modules. {pull}19198[19198] +- Add support for timezone offsets and `Z` to decode_cef timestamp parser. {pull}19346[19346] *Heartbeat* diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go index 6ef0b830622..c2c6776dcdb 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types.go @@ -103,18 +103,33 @@ func toMACAddress(v string) (string, error) { var timeLayouts = []string{ // MMM dd HH:mm:ss.SSS zzz "Jan _2 15:04:05.000 MST", + "Jan _2 15:04:05.000 Z0700", + "Jan _2 15:04:05.000 Z07:00", + // MMM dd HH:mm:sss.SSS "Jan _2 15:04:05.000", + // MMM dd HH:mm:ss zzz "Jan _2 15:04:05 MST", + "Jan _2 15:04:05 Z0700", + "Jan _2 15:04:05 Z07:00", + // MMM dd HH:mm:ss "Jan _2 15:04:05", + // MMM dd yyyy HH:mm:ss.SSS zzz "Jan _2 2006 15:04:05.000 MST", + "Jan _2 2006 15:04:05.000 Z0700", + "Jan _2 2006 15:04:05.000 Z07:00", + // MMM dd yyyy HH:mm:ss.SSS "Jan _2 2006 15:04:05.000", + // MMM dd yyyy HH:mm:ss zzz "Jan _2 2006 15:04:05 MST", + "Jan _2 2006 15:04:05 Z0700", + "Jan _2 2006 15:04:05 Z07:00", + // MMM dd yyyy HH:mm:ss "Jan _2 2006 15:04:05", } diff --git a/x-pack/filebeat/processors/decode_cef/cef/types_test.go b/x-pack/filebeat/processors/decode_cef/cef/types_test.go new file mode 100644 index 00000000000..142538eece4 --- /dev/null +++ b/x-pack/filebeat/processors/decode_cef/cef/types_test.go @@ -0,0 +1,63 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cef + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestToTimestamp(t *testing.T) { + var times = []string{ + // Unix epoch in milliseconds. + "1322004689000", + + // MMM dd HH:mm:ss.SSS zzz + "Jun 23 17:37:24.000 Z", + "Jun 23 17:37:24.000 EST", + "Jun 23 17:37:24.000 +05", + "Jun 23 17:37:24.000 +0500", + "Jun 23 17:37:24.000 +05:00", + + // MMM dd HH:mm:sss.SSS + "Jun 23 17:37:24.000", + + // MMM dd HH:mm:ss zzz + "Jun 23 17:37:24 Z", + "Jun 23 17:37:24 EST", + "Jun 23 17:37:24 +05", + "Jun 23 17:37:24 +0500", + "Jun 23 17:37:24 +05:00", + + // MMM dd HH:mm:ss + "Jun 23 17:37:24", + + // MMM dd yyyy HH:mm:ss.SSS zzz + "Jun 23 2020 17:37:24.000 Z", + "Jun 23 2020 17:37:24.000 EST", + "Jun 23 2020 17:37:24.000 +05", + "Jun 23 2020 17:37:24.000 +0500", + "Jun 23 2020 17:37:24.000 +05:00", + + // MMM dd yyyy HH:mm:ss.SSS + "Jun 23 2020 17:37:24.000", + + // MMM dd yyyy HH:mm:ss zzz + "Jun 23 2020 17:37:24 Z", + "Jun 23 2020 17:37:24 EST", + "Jun 23 2020 17:37:24 +05", + "Jun 23 2020 17:37:24 +0500", + "Jun 23 2020 17:37:24 +05:00", + + // MMM dd yyyy HH:mm:ss + "Jun 23 2020 17:37:24", + } + + for _, timeValue := range times { + _, err := toTimestamp(timeValue) + assert.NoError(t, err, timeValue) + } +}