crowdsec/pkg/parser/enrich_date.go

111 lines
3 KiB
Go
Raw Normal View History

package parser
import (
"time"
expr "github.com/crowdsecurity/crowdsec/pkg/exprhelpers"
"github.com/crowdsecurity/crowdsec/pkg/types"
log "github.com/sirupsen/logrus"
)
func parseDateWithFormat(date, format string) (string, time.Time) {
t, err := time.Parse(format, date)
if err == nil && !t.IsZero() {
//if the year isn't set, set it to current date :)
if t.Year() == 0 {
t = t.AddDate(time.Now().UTC().Year(), 0, 0)
}
retstr, err := t.MarshalText()
if err != nil {
log.Warningf("Failed marshaling '%v'", t)
return "", time.Time{}
}
return string(retstr), t
}
return "", time.Time{}
}
func GenDateParse(date string) (string, time.Time) {
var (
layouts = [...]string{
time.RFC3339,
"02/Jan/2006:15:04:05 -0700",
"Mon Jan 2 15:04:05 2006",
"02-Jan-2006 15:04:05 europe/paris",
"01/02/2006 15:04:05",
"2006-01-02 15:04:05.999999999 -0700 MST",
"Jan 2 15:04:05",
"Mon Jan 02 15:04:05.000000 2006",
"2006-01-02T15:04:05Z07:00",
"2006/01/02",
"2006/01/02 15:04",
"2006-01-02",
"2006-01-02 15:04",
"2006/01/02 15:04:05",
"2006-01-02 15:04:05",
}
)
for _, dateFormat := range layouts {
retstr, parsedDate := parseDateWithFormat(date, dateFormat)
if !parsedDate.IsZero() {
return retstr, parsedDate
}
}
return "", time.Time{}
}
func ParseDate(in string, p *types.Event, x interface{}, plog *log.Entry) (map[string]string, error) {
var ret = make(map[string]string)
var strDate string
var parsedDate time.Time
if in != "" {
if p.StrTimeFormat != "" {
strDate, parsedDate = parseDateWithFormat(in, p.StrTimeFormat)
if !parsedDate.IsZero() {
ret["MarshaledTime"] = strDate
2023-03-22 07:20:21 +00:00
//In time machine, we take the time parsed from the event. In live mode, we keep the timestamp collected at acquisition
if p.ExpectMode == types.TIMEMACHINE {
p.Time = parsedDate
}
return ret, nil
}
plog.Debugf("unable to parse '%s' with layout '%s'", in, p.StrTimeFormat)
}
strDate, parsedDate = GenDateParse(in)
if !parsedDate.IsZero() {
ret["MarshaledTime"] = strDate
//In time machine, we take the time parsed from the event. In live mode, we keep the timestamp collected at acquisition
if p.ExpectMode == types.TIMEMACHINE {
p.Time = parsedDate
}
return ret, nil
}
timeobj, err := expr.ParseUnixTime(in)
if err == nil {
ret["MarshaledTime"] = timeobj.(time.Time).Format(time.RFC3339)
//In time machine, we take the time parsed from the event. In live mode, we keep the timestamp collected at acquisition
if p.ExpectMode == types.TIMEMACHINE {
p.Time = timeobj.(time.Time)
}
return ret, nil
}
}
plog.Debugf("no suitable date format found for '%s', falling back to now", in)
now := time.Now().UTC()
retstr, err := now.MarshalText()
if err != nil {
plog.Warning("Failed marshaling current time")
return ret, err
}
ret["MarshaledTime"] = string(retstr)
return ret, nil
}
func parseDateInit(cfg map[string]string) (interface{}, error) {
return nil, nil
}