diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index b7925538..215fafc3 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -659,6 +659,7 @@ trace_files: !mux - rules/single_rule.yaml conf_file: confs/stdout_output.yaml trace_file: trace_files/cat_write.scap + time_iso_8601: true output_strictly_contains: - stdout: output_files/single_rule_with_cat_write.txt @@ -670,6 +671,7 @@ trace_files: !mux - rules/single_rule.yaml conf_file: confs/stdout_output.yaml trace_file: trace_files/cat_write.scap + time_iso_8601: true output_strictly_contains: - stdout: output_files/single_rule_with_cat_write.json @@ -680,6 +682,7 @@ trace_files: !mux - rules/single_rule.yaml conf_file: confs/file_output.yaml trace_file: trace_files/cat_write.scap + time_iso_8601: true output_strictly_contains: - /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt @@ -690,6 +693,7 @@ trace_files: !mux - rules/single_rule.yaml conf_file: confs/program_output.yaml trace_file: trace_files/cat_write.scap + time_iso_8601: true output_strictly_contains: - /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt @@ -701,6 +705,7 @@ trace_files: !mux conf_file: confs/grpc_unix_socket.yaml trace_file: trace_files/cat_write.scap run_duration: 5 + time_iso_8601: true grpc: address: unix:///tmp/falco/falco.sock proto: outputs.proto @@ -711,10 +716,10 @@ trace_files: !mux - "seconds:1470327477 nanos:881781397" - "priority: WARNING" - "rule: \"open_from_cat\"" - - "output: \"18:17:57.881781397: Warning An open was seen (command=cat /dev/null)\"" + - "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\"" # output fields - - "key: \"evt.time\"" - - "value: \"18:17:57.881781397\"" + - "key: \"evt.time.iso8601\"" + - "value: \"2016-08-04T16:17:57.881781397+0000\"" - "key: \"proc.cmdline\"" - "value: \"cat /dev/null\"" # For the hostname, since we don't know that beforehand, diff --git a/test/output_files/single_rule_with_cat_write.json b/test/output_files/single_rule_with_cat_write.json index e58ec4bf..9203ee7a 100644 --- a/test/output_files/single_rule_with_cat_write.json +++ b/test/output_files/single_rule_with_cat_write.json @@ -1,8 +1,8 @@ -{"output":"18:17:57.881781397: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time":1470327477881781397,"proc.cmdline":"cat /dev/null"}} -{"output":"18:17:57.881785348: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time":1470327477881785348,"proc.cmdline":"cat /dev/null"}} -{"output":"18:17:57.881796705: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time":1470327477881796705,"proc.cmdline":"cat /dev/null"}} -{"output":"18:17:57.881799840: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time":1470327477881799840,"proc.cmdline":"cat /dev/null"}} -{"output":"18:17:57.882003104: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time":1470327477882003104,"proc.cmdline":"cat /dev/null"}} -{"output":"18:17:57.882008208: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time":1470327477882008208,"proc.cmdline":"cat /dev/null"}} -{"output":"18:17:57.882045694: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time":1470327477882045694,"proc.cmdline":"cat /dev/null"}} -{"output":"18:17:57.882054739: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time":1470327477882054739,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}} +{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}} diff --git a/test/output_files/single_rule_with_cat_write.txt b/test/output_files/single_rule_with_cat_write.txt index 40b8d7b7..a68295fc 100644 --- a/test/output_files/single_rule_with_cat_write.txt +++ b/test/output_files/single_rule_with_cat_write.txt @@ -1,8 +1,8 @@ -18:17:57.881781397: Warning An open was seen (command=cat /dev/null) -18:17:57.881785348: Warning An open was seen (command=cat /dev/null) -18:17:57.881796705: Warning An open was seen (command=cat /dev/null) -18:17:57.881799840: Warning An open was seen (command=cat /dev/null) -18:17:57.882003104: Warning An open was seen (command=cat /dev/null) -18:17:57.882008208: Warning An open was seen (command=cat /dev/null) -18:17:57.882045694: Warning An open was seen (command=cat /dev/null) -18:17:57.882054739: Warning An open was seen (command=cat /dev/null) \ No newline at end of file +2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null) +2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null) +2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null) +2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null) +2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null) +2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null) +2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null) +2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null) \ No newline at end of file