[Oisf-devel] ssh json

Peter Manev petermanev at gmail.com
Mon Mar 3 09:51:09 UTC 2014


On Mon, Mar 3, 2014 at 9:54 AM, Victor Julien <victor at inliniac.net> wrote:
> On 03/02/2014 07:06 PM, Peter Manev wrote:
>>
>>
>>> On 2 mar 2014, at 16:48, Jason Ish <lists at unx.ca> wrote:
>>>
>>>> On Sat, Mar 1, 2014 at 5:12 PM, Brian Rectanus <brectanu at gmail.com> wrote:
>>>> Use an iso timestamp. At least something sortable with yyyy-mm-dd.
>>>>
>>>> 2011-12-22T22:25:52.921841Z
>>>>
>>>>> On Saturday, March 1, 2014, Victor Julien <victor at inliniac.net> wrote:
>>>>>
>>>>> Any feedback on this format?
>>>>>
>>>>>
>>>>> {"time":"12\/22\/2011-22:25:52.921841","pcap_cnt":9,"event_type":"ssh","src_ip":"192.168.0.110","src_port":22,"dest_ip":"218.75.172.161","dest_port":56779,"proto":"TCP","ssh":{"client":{"proto_version":"2.0","software_version":"libssh-0.1"},"server":{"proto_version":"2.0","software_version":"OpenSSH_4.7p1
>>>>> Debian-8ubuntu3"}}}
>>>
>>> Yeah, I agree with Brian here.  I find the ISO format a little easier
>>> to read as well, perhaps no escaping.  And it seems to be a common
>>> format for use with JSON.  I guess this comment applies to all the
>>> json output, not just ssh.
>>
>>
>> I agree  aswel.
>
> Will this affect the way things are handled by logstash?

No. It is actually better if ISO is used.
Logstash already uses standard ISO time format for timestamping when
the logs were imported.

thanks

-- 
Regards,
Peter Manev



More information about the Oisf-devel mailing list