diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 18e21e08ea1..216cc9911d3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -413,6 +413,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Explicitly set ECS version in all Filebeat modules. {pull}19198[19198] - Add new mode to multiline reader to aggregate constant number of lines {pull}18352[18352] - Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956] +- Add support for timezone offsets and `Z` to decode_cef timestamp parser. {pull}19346[19346] - Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379] *Heartbeat* diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go index 6ef0b830622..c2c6776dcdb 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types.go @@ -103,18 +103,33 @@ func toMACAddress(v string) (string, error) { var timeLayouts = []string{ // MMM dd HH:mm:ss.SSS zzz "Jan _2 15:04:05.000 MST", + "Jan _2 15:04:05.000 Z0700", + "Jan _2 15:04:05.000 Z07:00", + // MMM dd HH:mm:sss.SSS "Jan _2 15:04:05.000", + // MMM dd HH:mm:ss zzz "Jan _2 15:04:05 MST", + "Jan _2 15:04:05 Z0700", + "Jan _2 15:04:05 Z07:00", + // MMM dd HH:mm:ss "Jan _2 15:04:05", + // MMM dd yyyy HH:mm:ss.SSS zzz "Jan _2 2006 15:04:05.000 MST", + "Jan _2 2006 15:04:05.000 Z0700", + "Jan _2 2006 15:04:05.000 Z07:00", + // MMM dd yyyy HH:mm:ss.SSS "Jan _2 2006 15:04:05.000", + // MMM dd yyyy HH:mm:ss zzz "Jan _2 2006 15:04:05 MST", + "Jan _2 2006 15:04:05 Z0700", + "Jan _2 2006 15:04:05 Z07:00", + // MMM dd yyyy HH:mm:ss "Jan _2 2006 15:04:05", } diff --git a/x-pack/filebeat/processors/decode_cef/cef/types_test.go b/x-pack/filebeat/processors/decode_cef/cef/types_test.go new file mode 100644 index 00000000000..142538eece4 --- /dev/null +++ b/x-pack/filebeat/processors/decode_cef/cef/types_test.go @@ -0,0 +1,63 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cef + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestToTimestamp(t *testing.T) { + var times = []string{ + // Unix epoch in milliseconds. + "1322004689000", + + // MMM dd HH:mm:ss.SSS zzz + "Jun 23 17:37:24.000 Z", + "Jun 23 17:37:24.000 EST", + "Jun 23 17:37:24.000 +05", + "Jun 23 17:37:24.000 +0500", + "Jun 23 17:37:24.000 +05:00", + + // MMM dd HH:mm:sss.SSS + "Jun 23 17:37:24.000", + + // MMM dd HH:mm:ss zzz + "Jun 23 17:37:24 Z", + "Jun 23 17:37:24 EST", + "Jun 23 17:37:24 +05", + "Jun 23 17:37:24 +0500", + "Jun 23 17:37:24 +05:00", + + // MMM dd HH:mm:ss + "Jun 23 17:37:24", + + // MMM dd yyyy HH:mm:ss.SSS zzz + "Jun 23 2020 17:37:24.000 Z", + "Jun 23 2020 17:37:24.000 EST", + "Jun 23 2020 17:37:24.000 +05", + "Jun 23 2020 17:37:24.000 +0500", + "Jun 23 2020 17:37:24.000 +05:00", + + // MMM dd yyyy HH:mm:ss.SSS + "Jun 23 2020 17:37:24.000", + + // MMM dd yyyy HH:mm:ss zzz + "Jun 23 2020 17:37:24 Z", + "Jun 23 2020 17:37:24 EST", + "Jun 23 2020 17:37:24 +05", + "Jun 23 2020 17:37:24 +0500", + "Jun 23 2020 17:37:24 +05:00", + + // MMM dd yyyy HH:mm:ss + "Jun 23 2020 17:37:24", + } + + for _, timeValue := range times { + _, err := toTimestamp(timeValue) + assert.NoError(t, err, timeValue) + } +}