Graylog 4, apache, epoch microseconds to date

we have a bunch of apache logs being put into a syslog facility by syslog itself, then I forward everything to graylog via a line like this:

. @{{ graylog_server_address_fqdn }}:{{ graylog_ingest_port }};RSYSLOG_SyslogProtocol23Format

our apachelog format is a heavily customized and I do have a grok extractor in graylog that parses it, one of the fields we parse is epoch in microseconds, I’d like that to be in a human readable form.

what’s the best way to go about it?
I don’t think I need GELF and make a template in rsyslog to forward it like that, rsyslog sends a json field with “message” containing the apache log string, it wouldn’t handle that field anyways.

do I need a processing pipeline or can I just have the grok pattern handle the conversion of that apache log string field as it’s extracted from the “message”?

Try to use pipeline rule like this, which uses function parse_unix_milliseconds() and I divide epoch in microseconds by 1000 to get miliseconds required by pipeline function.

rule "Epoch Convert"
  let ts_millis = to_long($message.eventtime) / 1000;
  let new_date = parse_unix_milliseconds(ts_millis);
  set_field("epoch_timestamp", new_date);
  //set_field("timestamp", new_date);

Replace eventtime with your real field which contains epoch in microseconds. Uncomment line //set_field("timestamp", new_date); if you want to replace timestamp field by epoch in apache.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.