<div dir="ltr">How about a yaml option that selects one or the other?  Make everybody happy.<br><br>Tom<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 4, 2014 at 6:03 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 03/04/2014 06:15 PM, Brian Rectanus wrote:<br>
> On Tue, Mar 4, 2014 at 8:28 AM, Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a><br>
</div><div><div class="h5">> <mailto:<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>>> wrote:<br>
><br>
>     On 03/04/2014 03:06 PM, Victor Julien wrote:<br>
>     > On 03/02/2014 12:12 AM, Brian Rectanus wrote:<br>
>     >> Use an iso timestamp. At least something sortable with yyyy-mm-dd.<br>
>     >><br>
>     >> 2011-12-22T22:25:52.921841Z<br>
>     ><br>
>     > Any suggestions on how to generate this string? Was looking at<br>
>     strftime,<br>
>     > but since it uses "struct tm" it seems to use a max precision of a<br>
>     second.<br>
>     ><br>
>     > I can of course easily generate the above string myself, however<br>
>     the ISO<br>
>     > 8601 format seems take into account timezones and all, and I don't<br>
>     want<br>
>     > to implement all that logic manually.<br>
><br>
>     If I ignore that timezone stuff for now, this is an example of what it<br>
>     would look like:<br>
><br>
>     {"time":"2014-02-07T17:15:28.972757Z",...<br>
><br>
>     Code:<br>
><br>
>     static void CreateTimeStringISO(struct timeval *tv, char *buffer, size_t<br>
>     buflen)<br>
>     {<br>
>         char local_buf[64];<br>
>         time_t time = tv->tv_sec;<br>
>         struct tm local_tm;<br>
>         struct tm *t = (struct tm*)SCLocalTime(time, &local_tm);<br>
><br>
>         strftime(local_buf, sizeof(local_buf), "%FT%T", t);<br>
>         snprintf(buffer, buflen, "%s.%06uZ", local_buf,<br>
>     (uint32_t)tv->tv_usec);<br>
>     }<br>
><br>
>     Thoughts?<br>
><br>
><br>
> Yes, you could ignore timezone and use Z (UTC time, e.g., short for<br>
> -0000) if you use gm time vs local time.<br>
<br>
</div></div>I can live with this. Lots of ppl don't really like UTC though. Thoughts<br>
anyone?<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div>