From 39ec9dc933849ecc035efc35ab4f6505e24ba9ff Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 14 Sep 2020 16:08:14 -0400 Subject: [PATCH] Add support for GMT timezone offset in decode_cef (#20993) (#21059) The Java SimpleDataFormat's `zzz` allows for `GMT-07:00` in timestamps but this wasn't handled in the processor. (cherry picked from commit 6cfee0c7a1f2917f51840a4739831a8c17397b25) --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/processors/decode_cef/cef/types.go | 4 ++++ x-pack/filebeat/processors/decode_cef/cef/types_test.go | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0ea45e376b2..c7afd6365bc 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -82,6 +82,7 @@ field. You can revert this change by configuring tags for the module and omittin - Fix PANW field spelling "veredict" to "verdict" on event.action {pull}18808[18808] - Tracking session end reason in panw module. {pull}18705[18705] - Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] +- Add support for GMT timezone offsets in `decode_cef`. {pull}20993[20993] *Heartbeat* diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go index c2c6776dcdb..a0e39c27b4c 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types.go @@ -105,6 +105,7 @@ var timeLayouts = []string{ "Jan _2 15:04:05.000 MST", "Jan _2 15:04:05.000 Z0700", "Jan _2 15:04:05.000 Z07:00", + "Jan _2 15:04:05.000 GMT-07:00", // MMM dd HH:mm:sss.SSS "Jan _2 15:04:05.000", @@ -113,6 +114,7 @@ var timeLayouts = []string{ "Jan _2 15:04:05 MST", "Jan _2 15:04:05 Z0700", "Jan _2 15:04:05 Z07:00", + "Jan _2 15:04:05 GMT-07:00", // MMM dd HH:mm:ss "Jan _2 15:04:05", @@ -121,6 +123,7 @@ var timeLayouts = []string{ "Jan _2 2006 15:04:05.000 MST", "Jan _2 2006 15:04:05.000 Z0700", "Jan _2 2006 15:04:05.000 Z07:00", + "Jan _2 2006 15:04:05.000 GMT-07:00", // MMM dd yyyy HH:mm:ss.SSS "Jan _2 2006 15:04:05.000", @@ -129,6 +132,7 @@ var timeLayouts = []string{ "Jan _2 2006 15:04:05 MST", "Jan _2 2006 15:04:05 Z0700", "Jan _2 2006 15:04:05 Z07:00", + "Jan _2 2006 15:04:05 GMT-07:00", // MMM dd yyyy HH:mm:ss "Jan _2 2006 15:04:05", diff --git a/x-pack/filebeat/processors/decode_cef/cef/types_test.go b/x-pack/filebeat/processors/decode_cef/cef/types_test.go index 142538eece4..fe44c13abb8 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types_test.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types_test.go @@ -21,6 +21,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 17:37:24.000 +05", "Jun 23 17:37:24.000 +0500", "Jun 23 17:37:24.000 +05:00", + "Jun 23 17:37:24.000 GMT+05:00", // MMM dd HH:mm:sss.SSS "Jun 23 17:37:24.000", @@ -31,6 +32,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 17:37:24 +05", "Jun 23 17:37:24 +0500", "Jun 23 17:37:24 +05:00", + "Jun 23 17:37:24 GMT+05:00", // MMM dd HH:mm:ss "Jun 23 17:37:24", @@ -41,6 +43,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 2020 17:37:24.000 +05", "Jun 23 2020 17:37:24.000 +0500", "Jun 23 2020 17:37:24.000 +05:00", + "Jun 23 2020 17:37:24.000 GMT+05:00", // MMM dd yyyy HH:mm:ss.SSS "Jun 23 2020 17:37:24.000", @@ -51,6 +54,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 2020 17:37:24 +05", "Jun 23 2020 17:37:24 +0500", "Jun 23 2020 17:37:24 +05:00", + "Jun 23 2020 17:37:24 GMT+05:00", // MMM dd yyyy HH:mm:ss "Jun 23 2020 17:37:24",