Crates.io Crates.io (latest) Codecov

mactime2

Replacement for mactime

Changes to original `mactime`

no implicit conversion of timestamp to local date/time
possibility of explicit timezone correction
other datetime format (RFC3339) which always includes the timezone offset
faster

Installation

shell cargo install mactime2

Usage

Options: -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -b <INPUT_FILE> path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped) [default: -] -f, --from-timezone <SRC_ZONE> name of offset of source timezone (or 'list' to display all possible values -t, --to-timezone <DST_ZONE> name of offset of destination timezone (or 'list' to display all possible values --strict strict mode: do not only warn, but abort if an error occurs -I, --input-format <INPUT_FORMAT> input format [default: bodyfile] [possible values: bodyfile, json] -F, --format <OUTPUT_FORMAT> output format, if not specified, default value is 'txt' [possible values: csv, txt, json, elastic] -d output as CSV instead of TXT. This is a conveniance option, which is identical to `--format=csv` and will be removed in a future release. If you specified `--format` and `-d`, the latter will be ignored -j output as JSON instead of TXT. This is a conveniance option, which is identical to `--format=json` and will be removed in a future release. If you specified `--format` and `-j`, the latter will be ignored --index <INDEX_NAME> name of the elasticsearch index -X, --expect-existing If this flag is set, a new index is created if it does not exist already, and new values will be inserted into the index, no matter what. If the flag is not set, mactime2 will check if the index exists and will abort if there is already such an index. Otherwise, the index will be newly created -H, --host <HOST> server name or IP address of elasticsearch server [default: localhost] -P, --port <PORT> API port number of elasticsearch server [default: 9200] --proto <PROTOCOL> protocol to be used to connect to elasticsearch [default: https] [possible values: http, https] -k, --insecure omit certificate validation -U, --username <USERNAME> username for elasticsearch server [default: elastic] -W, --password <PASSWORD> password for authenticating at elasticsearch -h, --help Print help information -V, --version Print version information

Examples

Convert Windows Event Log timelines to better parsable json

shell mactime2 -j -b sample.bodyfile | jq '{"ts": .ts, "event": .name | fromjson | {"event_id": .event_id, "channel": .channel_name, "data": .custom_data} }'

results in an output like the following: json { "ts": "2022-05-16T03:19:19+00:00", "event": { "event_id": 4624, "channel": "Security", "data": { "EventData": { "AuthenticationPackageName": "-", "IpAddress": "-", "IpPort": "-", "KeyLength": 0, "LmPackageName": "-", "LogonGuid": "00000000-0000-0000-0000-000000000000", "LogonProcessName": "-", "LogonType": 0, "ProcessId": "0x4", "ProcessName": "", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetDomainName": "NT-AUTORITÄT", "TargetLogonId": "0x3e7", "TargetUserName": "SYSTEM", "TargetUserSid": "S-1-5-18", "TransmittedServices": "-", "WorkstationName": "-" } } } }

Changes

|Version|Change| |-|-| |0.1.2|Support for gzip compressed input as optional feature. This was a user request to allow for smaller bodyfile footprint| |0.2.2|don't ignore lines with invalid characters anymore| |1.0.1|Also display lines with all timestamps set to -1| |1.0.5|better handling of ambiguous file names| |1.1.0|Support for JSON output, parsable by jq|