Skip to content

fix: Extracting timezone from cisco_ios logs #2994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
digrajpu wants to merge 3 commits into
base: develop
Choose a base branch
from
+82 −10
Draft

fix: Extracting timezone from cisco_ios logs #2994

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ea474fd
fix: Extracting timezone from cisco_ios logs
digrajpu Mar 30, 2026
b03bbf2
fix: Fixing timezone issue in test cases
digrajpu Apr 2, 2026
4dc873f
fix: Changes updated in lite package
digrajpu Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-cisco_syslog.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ block parser app-almost-syslog-cisco_syslog() {
parser {
regexp-parser(
prefix(".tmp.")
patterns('(?<timestatus>[\*\.])?(?:(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+(?:\.\d+)?(?:Z|[\+-] *\d+:\d+)|[A-Z][a-z]{2} [ 0123]\d(?: \d{4})? \d\d:\d\d:\d\d(?: [AP]M)?(?:[^ :]+)?)(?: (?<tz>[A-Za-z]{1,4}T))?)')
patterns('(?<timestatus>[\*\.])?(?:(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+(?:\.\d+)?(?:Z|[\+-] *\d+:\d+)|[A-Z][a-z]{2} [ 0123]\d(?: \d{4})? \d\d:\d\d:\d\d(?: [AP]M)?(?:[^ :]+)?)(?: (?<tz>[A-Za-z]{1,4}))?)')
template('${.tmp.header}')
);
};
Expand All @@ -110,13 +110,28 @@ block parser app-almost-syslog-cisco_syslog() {
'%b %d %H:%M:%S',
'%b %d %I:%M:%S %p.%f',
'%b %d %I:%M:%S %p',
'%b %d %Y %I:%M:%S %p.%f'
'%b %d %Y %I:%M:%S %p.%f',
'%b %d %Y %H:%M:%S.%f',
'%b %d %Y %H:%M:%S',
'%Y-%m-%dT%T%z',
)
template("${.tmp.timestamp}"));
};
if (match("CEST|CET" value(".tmp.tz"))) {
rewrite { fix-time-zone("Europe/Berlin"); };
} elif (match("PST|PDT" value(".tmp.tz"))) {
rewrite { fix-time-zone("America/Los_Angeles"); };
} elif (match("EST|EDT|DST" value(".tmp.tz"))) {
rewrite { fix-time-zone("America/New_York"); };
} elif (match("BST|GMT" value(".tmp.tz"))) {
rewrite { fix-time-zone("Europe/London"); };
} elif (match("CDT" value(".tmp.tz"))) {
rewrite {fix-time-zone("America/Chicago"); };
} elif (match("IST" value(".tmp.tz"))) {
rewrite { fix-time-zone("Asia/Kolkata"); };
} elif (match("JST" value(".tmp.tz"))) {
rewrite { fix-time-zone("Asia/Tokyo"); };
} else {};
} elif {
#This is "uptime" if we match this isn't a time stamp
parser {
Expand Down
19 changes: 17 additions & 2 deletions package/lite/etc/addons/cisco/app-almost-syslog-cisco_syslog.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ block parser app-almost-syslog-cisco_syslog() {
parser {
regexp-parser(
prefix(".tmp.")
patterns('(?<timestatus>[\*\.])?(?:(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+(?:\.\d+)?(?:Z|[\+-] *\d+:\d+)|[A-Z][a-z]{2} [ 0123]\d(?: \d{4})? \d\d:\d\d:\d\d(?: [AP]M)?(?:[^ :]+)?)(?: (?<tz>[A-Za-z]{1,4}T))?)')
patterns('(?<timestatus>[\*\.])?(?:(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+(?:\.\d+)?(?:Z|[\+-] *\d+:\d+)|[A-Z][a-z]{2} [ 0123]\d(?: \d{4})? \d\d:\d\d:\d\d(?: [AP]M)?(?:[^ :]+)?)(?: (?<tz>[A-Za-z]{1,4}))?)')
template('${.tmp.header}')
);
};
Expand All @@ -110,13 +110,28 @@ block parser app-almost-syslog-cisco_syslog() {
'%b %d %H:%M:%S',
'%b %d %I:%M:%S %p.%f',
'%b %d %I:%M:%S %p',
'%b %d %Y %I:%M:%S %p.%f'
'%b %d %Y %I:%M:%S %p.%f',
'%b %d %Y %H:%M:%S.%f',
'%b %d %Y %H:%M:%S',
'%Y-%m-%dT%T%z',
)
template("${.tmp.timestamp}"));
};
if (match("CEST|CET" value(".tmp.tz"))) {
rewrite { fix-time-zone("Europe/Berlin"); };
} elif (match("PST|PDT" value(".tmp.tz"))) {
rewrite { fix-time-zone("America/Los_Angeles"); };
} elif (match("EST|EDT|DST" value(".tmp.tz"))) {
rewrite { fix-time-zone("America/New_York"); };
} elif (match("BST|GMT" value(".tmp.tz"))) {
rewrite { fix-time-zone("Europe/London"); };
} elif (match("CDT" value(".tmp.tz"))) {
rewrite {fix-time-zone("America/Chicago"); };
} elif (match("IST" value(".tmp.tz"))) {
rewrite { fix-time-zone("Asia/Kolkata"); };
} elif (match("JST" value(".tmp.tz"))) {
rewrite { fix-time-zone("Asia/Tokyo"); };
} else {};
} elif {
#This is "uptime" if we match this isn't a time stamp
parser {
Expand Down
54 changes: 48 additions & 6 deletions tests/test_cisco_ios.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
from .sendmessage import sendsingle
from .splunkutils import splunk_single
from .timeutils import time_operations
from zoneinfo import ZoneInfo
import datetime

import pytest
Expand Down Expand Up @@ -73,6 +74,43 @@
]


def return_timezone(message):
tz_list = ['CDT', 'DST', 'EDT', 'CEST', 'CET','PST','PDT','EST','BST','GMT','IST', 'JST']
return next((tz for tz in tz_list if tz in message), 'UTC')


def epoch_to_utc(epoch, abbr):
"""
Converts a epoch timestamp to a UTC datetime object based on a
specific timezone abbreviation and return converted epoch time.
"""
tz_map = {
'CDT': 'America/Chicago',
'DST': 'America/New_York',
'EDT': 'America/New_York',
'EST': 'America/New_York',
'CEST': 'Europe/Paris',
'CET': 'Europe/Paris',
'PST': 'America/Los_Angeles',
'PDT': 'America/Los_Angeles',
'BST': 'Europe/London',
'GMT': 'Europe/London',
'IST': 'Asia/Kolkata',
'JST': 'Asia/Tokyo',
}

# Get the standard IANA name from your map
iana_name = tz_map.get(abbr)
if not iana_name:
return epoch

utc_dt = datetime.datetime.fromtimestamp(epoch, datetime.timezone.utc)
local_dt = utc_dt.replace(tzinfo=ZoneInfo(iana_name))
converted_utc_dt = local_dt.astimezone(datetime.timezone.utc)

return int(converted_utc_dt.timestamp())


@pytest.mark.parametrize("event", testdata)
@pytest.mark.addons("cisco")
def test_cisco_ios(
Expand Down Expand Up @@ -102,13 +140,14 @@ def test_cisco_ios(
host=host,
year=year,
)

tzname = return_timezone(message)
new_epoch = epoch_to_utc(int(epoch), tzname)
sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])

st = env.from_string(
'search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype="cisco:ios" (host="{{ host }}" OR "{{ host }}")'
)
search = st.render(epoch=epoch, millisec=millisec, microsec=microsec, host=host)
search = st.render(epoch=new_epoch, millisec=millisec, microsec=microsec, host=host)

result_count, _ = splunk_single(setup_splunk, search)

Expand Down Expand Up @@ -148,13 +187,14 @@ def test_cisco_ios_badtime(
tzname=tzname,
host=host,
)

tzname = return_timezone(message)
new_epoch = epoch_to_utc(int(epoch), tzname)
sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])

st = env.from_string(
'search index=netops earliest=-1m@m latest=+1m@m sourcetype="cisco:ios" (host="{{ host }}" OR "{{ host }}")'
'search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype="cisco:ios" (host="{{ host }}" OR "{{ host }}")'
)
search = st.render(host=host)
search = st.render(epoch=new_epoch, millisec=millisec, microsec=microsec, host=host)

result_count, _ = splunk_single(setup_splunk, search)

Expand Down Expand Up @@ -245,13 +285,15 @@ def test_cisco_nx_os_soup2(
message = mt.render(
mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset
)
tzname = return_timezone(message)
new_epoch = epoch_to_utc(int(epoch), tzname)

sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])

st = env.from_string(
'search _time={{ epoch }} host!=GMT index=netops sourcetype="cisco:ios" {{ host }}'
)
search = st.render(epoch=epoch, host=host)
search = st.render(epoch=new_epoch, host=host)

result_count, _ = splunk_single(setup_splunk, search)

Expand Down
Loading