{"name":"logged_in_users","hostIdentifier":"vulnerabilityverify2test-vbj01c-1","calendarTime":"Mon Oct 30 03:00:41 2017 UTC","unixTime":"1509332441","epoch":"0","counter":"807","columns":{"host":"172.20.0.233","pid":"2301","time":"1509332151","tty":"pts\/0","type":"user","user":"root"},"action":"added"}
if I want to change the "calendarTime":"Mon Oct 30 03:00:41 2017 UTC" to GMT+08:00 ,what should I do? thanks.
I'm not sure actually. I don't think this is possible.
I was curious about doing it locally and tried with jq:
bash-3.2$ echo '{"name":"logged_in_users","hostIdentifier":"vulnerabilityverify2test-vbj01c-1","calendarTime":"Mon Oct 30 03:00:41 2017 UTC","unixTime":"1509332441","epoch":"0","counter":"807","columns":{"host":"172.20.0.233","pid":"2301","time":"1509332151","tty":"pts/0","type":"user","user":"root"},"action":"added"}' |\
jq 'if .calendarTime then .calendarTime |= (strptime("%c")|todate) else . end'
{
"name": "logged_in_users",
"hostIdentifier": "vulnerabilityverify2test-vbj01c-1",
"calendarTime": "2017-10-30T03:00:41Z",
"unixTime": "1509332441",
"epoch": "0",
"counter": "807",
"columns": {
"host": "172.20.0.233",
"pid": "2301",
"time": "1509332151",
"tty": "pts/0",
"type": "user",
"user": "root"
},
"action": "added"
}
As you can see I can reformat the calendarTime string, but I can't offset it by the timezone.
I'm sure you could write something clever with awk but the right answer would be to ship your logs to a central service and then use something like logstash.
Going to close this for now, if there's an interest on having osquery do this, please open a feature request.
Most helpful comment
I was curious about doing it locally and tried with
jq:As you can see I can reformat the
calendarTimestring, but I can't offset it by the timezone.I'm sure you could write something clever with
awkbut the right answer would be to ship your logs to a central service and then use something likelogstash.