From feef8927ccbe00f4e9ecec7547d33a113e06258e Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 7 Aug 2020 16:54:08 -0400
Subject: [PATCH] [fix] revert acs changes (#620)

Revert
---
 .../conf.d/log_paths/lp-cisco_acs.conf.tmpl   | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
index 7c463b8..eb3ca7b 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
@@ -37,6 +37,23 @@ parser acs_grouping {
     );
 };
 
+#The syslog message includes a date with milliseconds and TZ which is not in the header
+#So must reparse the date
+
+parser acs_event_time {
+    csv-parser(
+        columns(ACS.DATE, ACS.TIME, ACS.TZ, MESSAGE)
+        delimiters(chars(" "))
+        flags(greedy)
+    );
+
+    date-parser-nofilter(
+            #YYYY- MM-DD hh:mm:ss:xxx +/-zh:zm
+            format('%Y-%m-%d %H:%M:%S.%f %z')
+            template("${ACS.DATE} ${ACS.TIME} ${ACS.TZ}")
+    );
+};
+
 log {
     junction {
 {{- if or (or (getenv  (print "SC4S_LISTEN_CISCO_ACS_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CISCO_ACS_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CISCO_ACS_TLS_PORT")) }}
@@ -66,6 +83,7 @@ log {
 
     if {
         filter(f_cisco_acs_complete);
+        parser(acs_event_time);
         rewrite {
             set("cisco_acs", value("fields.sc4s_vendor_product"));
             r_set_splunk_dest_default(sourcetype("cisco:acs"))
@@ -86,4 +104,4 @@ log {
         flags(flow-control,final);
     };
 
-};
+};
\ No newline at end of file