Lib.rs

解析实现
#replace #date-time #timestamp #conversion #format #events #mactime

bin+lib mactime2

替换 mactime

所有者 Jan Starke.

20 个版本 (稳定)

3.2.0 2023 年 7 月 5 日
3.1.1 2022 年 11 月 14 日
2.0.1 2022 年 9 月 18 日
1.1.2 2022 年 6 月 21 日
0.1.1 2021 年 11 月 26 日

#678解析实现

Download history 3/week @ 2024-03-10 123/week @ 2024-03-31 1/week @ 2024-04-07

65 每月下载

GPL-3.0 许可证

38KB
882

Crates.io Crates.io (latest) Codecov

mactime2

替换 mactime

对原始 mactime 的更改

  • 不隐式转换时间戳到本地日期/时间
  • 可能显式地纠正时区
  • 其他日期时间格式(RFC3339),总是包含时区偏移
  • 更快

安装

cargo install mactime2

使用

Usage: mactime2 [OPTIONS]

Options:
  -v, --verbose...                More output per occurrence
  -q, --quiet...                  Less output per occurrence
  -b <INPUT_FILE>                 path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped) [default: -]
  -f, --from-timezone <SRC_ZONE>  name of offset of source timezone (or 'list' to display all possible values
  -t, --to-timezone <DST_ZONE>    name of offset of destination timezone (or 'list' to display all possible values
      --strict                    strict mode: do not only warn, but abort if an error occurs
  -F, --format <OUTPUT_FORMAT>    output format, if not specified, default value is 'txt' [possible values: csv, txt, json, elastic]
  -d                              output as CSV instead of TXT. This is a conveniance option, which is identical to `--format=csv` and will be removed in a future release.
                                  If you specified `--format` and `-d`, the latter will be ignored
  -j                              output as JSON instead of TXT. This is a conveniance option, which is identical to `--format=json` and will be removed in a future release.
                                  If you specified `--format` and `-j`, the latter will be ignored
  -h, --help                      Print help information
  -V, --version                   Print version information

示例

将 Windows 事件日志时间线转换为更好的可解析 json

mactime2 -j -b sample.bodyfile  | jq '{"ts": .ts, "event": .name | fromjson | {"event_id": .event_id, "channel": .channel_name, "data": .custom_data} }'

输出结果如下

{
  "ts": "2022-05-16T03:19:19+00:00",
  "event": {
    "event_id": 4624,
    "channel": "Security",
    "data": {
      "EventData": {
        "AuthenticationPackageName": "-",
        "IpAddress": "-",
        "IpPort": "-",
        "KeyLength": 0,
        "LmPackageName": "-",
        "LogonGuid": "00000000-0000-0000-0000-000000000000",
        "LogonProcessName": "-",
        "LogonType": 0,
        "ProcessId": "0x4",
        "ProcessName": "",
        "SubjectDomainName": "-",
        "SubjectLogonId": "0x0",
        "SubjectUserName": "-",
        "SubjectUserSid": "S-1-0-0",
        "TargetDomainName": "NT-AUTORITÄT",
        "TargetLogonId": "0x3e7",
        "TargetUserName": "SYSTEM",
        "TargetUserSid": "S-1-5-18",
        "TransmittedServices": "-",
        "WorkstationName": "-"
      }
    }
  }
}

更改

版本 更改
0.1.2 支持作为可选功能压缩 gzip 输入。这是用户请求,允许减小 bodyfile 脚印
0.2.2 不再忽略包含无效字符的行
1.0.1 还显示所有时间戳设置为 -1 的行
1.0.5 更好地处理模糊的文件名
1.1.0 支持 JSON 输出,可由 jq 解析

依赖

~8–19MB
~317K SLoC