Osquery: can I change the timezone displayed in osquery.results.log?

Created on 30 Oct 2017  路  3Comments  路  Source: osquery/osquery

{"name":"logged_in_users","hostIdentifier":"vulnerabilityverify2test-vbj01c-1","calendarTime":"Mon Oct 30 03:00:41 2017 UTC","unixTime":"1509332441","epoch":"0","counter":"807","columns":{"host":"172.20.0.233","pid":"2301","time":"1509332151","tty":"pts\/0","type":"user","user":"root"},"action":"added"}

if I want to change the "calendarTime":"Mon Oct 30 03:00:41 2017 UTC" to GMT+08:00 ,what should I do? thanks.

logging question

Most helpful comment

I was curious about doing it locally and tried with jq:

bash-3.2$ echo '{"name":"logged_in_users","hostIdentifier":"vulnerabilityverify2test-vbj01c-1","calendarTime":"Mon Oct 30 03:00:41 2017 UTC","unixTime":"1509332441","epoch":"0","counter":"807","columns":{"host":"172.20.0.233","pid":"2301","time":"1509332151","tty":"pts/0","type":"user","user":"root"},"action":"added"}' |\
jq 'if .calendarTime then .calendarTime |= (strptime("%c")|todate) else . end'
{
  "name": "logged_in_users",
  "hostIdentifier": "vulnerabilityverify2test-vbj01c-1",
  "calendarTime": "2017-10-30T03:00:41Z",
  "unixTime": "1509332441",
  "epoch": "0",
  "counter": "807",
  "columns": {
    "host": "172.20.0.233",
    "pid": "2301",
    "time": "1509332151",
    "tty": "pts/0",
    "type": "user",
    "user": "root"
  },
  "action": "added"
}

As you can see I can reformat the calendarTime string, but I can't offset it by the timezone.

I'm sure you could write something clever with awk but the right answer would be to ship your logs to a central service and then use something like logstash.

All 3 comments

I'm not sure actually. I don't think this is possible.

I was curious about doing it locally and tried with jq:

bash-3.2$ echo '{"name":"logged_in_users","hostIdentifier":"vulnerabilityverify2test-vbj01c-1","calendarTime":"Mon Oct 30 03:00:41 2017 UTC","unixTime":"1509332441","epoch":"0","counter":"807","columns":{"host":"172.20.0.233","pid":"2301","time":"1509332151","tty":"pts/0","type":"user","user":"root"},"action":"added"}' |\
jq 'if .calendarTime then .calendarTime |= (strptime("%c")|todate) else . end'
{
  "name": "logged_in_users",
  "hostIdentifier": "vulnerabilityverify2test-vbj01c-1",
  "calendarTime": "2017-10-30T03:00:41Z",
  "unixTime": "1509332441",
  "epoch": "0",
  "counter": "807",
  "columns": {
    "host": "172.20.0.233",
    "pid": "2301",
    "time": "1509332151",
    "tty": "pts/0",
    "type": "user",
    "user": "root"
  },
  "action": "added"
}

As you can see I can reformat the calendarTime string, but I can't offset it by the timezone.

I'm sure you could write something clever with awk but the right answer would be to ship your logs to a central service and then use something like logstash.

Going to close this for now, if there's an interest on having osquery do this, please open a feature request.

Was this page helpful?
0 / 5 - 0 ratings