When the Logs Aren't Right
by J. Edward Durrett
Then, subtract the difference between the two time stamps. This will be the offset variable used in the script
further down on this page. The log I am going to change is a DNS query log, which looks like this:
The date in the logs has nanoseconds (the last 3 numbers in the times tamp), but the version of date on *BSD and
OSX doesn’t support that. So, to get the date down to the second, the script below ignores the nanoseconds.
GNU date does support nanoseconds with the %N format code. This script looks at every line, converts the time
stamp to seconds, adds the offset (basic math reminder, to subtract just make the offset a negative number),
converts the time back to the original format and writes a new line with the new time stamp to a new log file:
For different time stamp formats in different logs, modifying the format string of date is necessary for the
script to work properly. Of course, the script could first read the format and, through a series of conditionals
determine which format string to use, but this script works good enough for my purposes today.
Often in the course of a day I come across something unexpected. There usually is a solution, often very simple
like the one above. Of course the time should be fixed on the machines so they are in sync, but an improperly
timed machine need not be an obstacle in performing log analyses.
Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.
Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.