[fix] revert acs changes (#620)

Revert
CSVD · Aug 7, 2020 · feef892 · feef892
1 parent 2e90af6
commit feef892
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
@@ -37,6 +37,23 @@ parser acs_grouping {
     );
 };
 
+#The syslog message includes a date with milliseconds and TZ which is not in the header
+#So must reparse the date
+
+parser acs_event_time {
+    csv-parser(
+        columns(ACS.DATE, ACS.TIME, ACS.TZ, MESSAGE)
+        delimiters(chars(" "))
+        flags(greedy)
+    );
+
+    date-parser-nofilter(
+            #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm
+            format('%Y-%m-%d %H:%M:%S.%f %z')
+            template("${ACS.DATE} ${ACS.TIME} ${ACS.TZ}")
+    );
+};
+
 log {
     junction {
 {{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_ACS_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_ACS_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_ACS_TLS_PORT")) }}
@@ -66,6 +83,7 @@ log {
 
     if {
         filter(f_cisco_acs_complete);
+        parser(acs_event_time);
         rewrite {
             set("cisco_acs", value("fields.sc4s_vendor_product"));
             r_set_splunk_dest_default(sourcetype("cisco:acs"))
@@ -86,4 +104,4 @@ log {
         flags(flow-control,final);
     };
 
-};
+};