Crates.io Crates.io (latest) Codecov

mactime2

Replacement for mactime

Changes to original mactime

Installation

shell cargo install mactime2

Usage

`` mactime2 2.0.0 Jan Starke <Jan.Starke@t-systems.com> Replacement formactime`

USAGE: mactime2 [OPTIONS] [BODYFILE]

ARGS: path to bodyfile of '-' for stdin (files ending with .gz will be treated as being gzipped) [default: -]

OPTIONS: -f, --from-timezone name of offset of source timezone (or 'list' to display all possible values -t, --to-timezone name of offset of destination timezone (or 'list' to display all possible values --strict strict mode: do not only warn, but abort if an error occurs -F, --format output format, if not specified, default value is 'txt' [possible values: csv, txt, json] -d output as CSV instead of TXT. This is a conveniance option, which is identical to --format=csv and will be removed in a future release. If you specified --format and -d, the latter will be ignored -j output as JSON instead of TXT. This is a conveniance option, which is identical to --format=json and will be removed in a future release. If you specified --format and -j, the latter will be ignored -h, --help Print help information -q, --quiet Less output per occurrence -v, --verbose More output per occurrence -V, --version Print version information

```

Examples

Convert Windows Event Log timelines to better parsable json

shell mactime2 -j -b sample.bodyfile | jq '{"ts": .ts, "event": .name | fromjson | {"event_id": .event_id, "channel": .channel_name, "data": .custom_data} }'

results in an output like the following: json { "ts": "2022-05-16T03:19:19+00:00", "event": { "event_id": 4624, "channel": "Security", "data": { "EventData": { "AuthenticationPackageName": "-", "IpAddress": "-", "IpPort": "-", "KeyLength": 0, "LmPackageName": "-", "LogonGuid": "00000000-0000-0000-0000-000000000000", "LogonProcessName": "-", "LogonType": 0, "ProcessId": "0x4", "ProcessName": "", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetDomainName": "NT-AUTORITÄT", "TargetLogonId": "0x3e7", "TargetUserName": "SYSTEM", "TargetUserSid": "S-1-5-18", "TransmittedServices": "-", "WorkstationName": "-" } } } }

Changes

|Version|Change| |-|-| |0.1.2|Support for gzip compressed input as optional feature. This was a user request to allow for smaller bodyfile footprint| |0.2.2|don't ignore lines with invalid characters anymore| |1.0.1|Also display lines with all timestamps set to -1| |1.0.5|better handling of ambiguous file names| |1.1.0|Support for JSON output, parsable by jq|