Hello,
I'm trying to adjust this raw data seen below. Our office is EST and the FireEye appliance is BST, but the test alerts I'm generating are coming in UTC. I've looked all over the place to change this:
8/23/16
2:09:48.000 PM
<162>fenotify-3386.crit: CEF:0|FireEye|MPS|7.8.1.468932|MC|malware-callback|7|rt=Aug 23 2016 18:04:23 UTC
I made a props.conf in the local directory for the search app and put this inside but it doesn't seem to be working either.
[fe_alert]
TIME_PREFIX = ^\d+\w+
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%BST
MAX_TIMESTAMP_LOOKAHEAD = 28
Any help would be appreciated.
Thank You
↧