{ "cells": [ { "attachments": {}, "cell_type": "markdown", "metadata": {}, "source": [ "# Timestamper\n", "\n", "This presentations goal it to introduce the features of the `timestamper` and how to configure it." ] }, { "attachments": {}, "cell_type": "markdown", "metadata": {}, "source": [ "## The challenge\n", "\n", "I want normalize different time formats to one output format and timezone." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "from this:" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "document = {\n", " \"winlog\": {\n", " \"api\": \"wineventlog\",\n", " \"event_id\": 123456789,\n", " \"event_data\": {\"some_timestamp_utc\": \"1642160449\"},\n", " }\n", "}" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "to this:" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "expected = {\n", " \"@timestamp\": \"2022-01-14T12:40:49+01:00\",\n", " \"winlog\": {\n", " \"api\": \"wineventlog\",\n", " \"event_id\": 123456789,\n", " \"event_data\": {\"some_timestamp_utc\": \"1642160449\"},\n", " },\n", "}\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Create rule and processor" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the rule:" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "import sys\n", "sys.path.append(\"../../../../../\")\n", "import tempfile\n", "from pathlib import Path\n", "\n", "rule_yaml = \"\"\"---\n", " filter: \"winlog.event_id: 123456789\"\n", " timestamper: \n", " source_fields: [\"winlog.event_data.some_timestamp_utc\"]\n", " target_field: \"@timestamp\"\n", " source_format: UNIX\n", " source_timezone: UTC\n", " target_timezone: Europe/Berlin\n", " description: example timestamper rule\n", "\"\"\"\n", "\n", "rule_path = Path(tempfile.gettempdir()) / \"timestamper\"\n", "rule_path.mkdir(exist_ok=True)\n", "rule_file = rule_path / \"timestamper.yml\"\n", "rule_file.write_text(rule_yaml)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the processor config:" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "processor_config = {\n", " \"my_timestamper\":{ \n", " \"type\": \"timestamper\",\n", " \"rules\": [str(rule_path), \"/dev\"],\n", " }\n", " }" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "create the processor with the factory:" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from unittest import mock\n", "from logprep.factory import Factory\n", "\n", "mock_logger = mock.MagicMock()\n", "processor = Factory.create(processor_config)\n", "processor" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Process event" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [ "from copy import deepcopy\n", "mydocument = deepcopy(document)\n", "\n", "\n", "print(f\"before: {mydocument}\")\n", "processor.process(mydocument)\n", "print(f\"after: {mydocument}\")\n", "print(mydocument == expected)" ] } ], "metadata": { "kernelspec": { "display_name": ".venv", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.11.2" }, "orig_nbformat": 4 }, "nbformat": 4, "nbformat_minor": 2 }