search

poshsecurity / Posh-SYSLOG

Send SYSLOG messages from PowerShell
http://poshsecurity.com
MIT License
92 stars 19 forks source link

RFC3164 Timestamp Single Digit Day Format #11

Closed benclaussen closed 6 years ago

benclaussen commented 6 years ago

https://github.com/poshsecurity/Posh-SYSLOG/blob/aaa41ffb0b0d9674f033d81510786c81a9717150/Functions/Send-SyslogMessage.ps1#L280

In the format specifier, dd returns a leading zero for single digit days. The RFC calls for a space in place of a leading zero where the day is less than 10.

https://tools.ietf.org/html/rfc3164#section-4.1.2

The TIMESTAMP field is the local time and is in the format of "Mmm dd hh:mm:ss" (without the quote marks) where: ... dd is the day of the month. If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug  7", with two spaces between the "g" and the "7".

Something like the following might be an easy fix:

$day = switch ($Timestamp.ToString('%d').Length) {
    1 { $Timestamp.ToString(' %d') }
    2 { $Timestamp.ToString('%d') }
}

$FormattedTimestamp = (Get-Culture).TextInfo.ToTitleCase($Timestamp.ToString("MMM $day HH:mm:ss"))

or an if:

$day = if ($Timestamp.ToString('%d').Length -eq 1) {
    $Timestamp.ToString(' %d')
} else {
    $Timestamp.ToString('%d')
}

...You get the idea.

%d returns the day without a leading zero if it is not used with any other format specifiers: https://technet.microsoft.com/en-us/library/ee692801.aspx. Using just d inline would omit that necessary space, thus the conditional block

Thanks for the module!

kjacobsen commented 6 years ago

Great pickup Ben! No matter how many times I read the RFC, I always seem to find some new quirk or something I either missed or didn't understand.

If you don't mind me asking, how did you pick this issue up?

I have another update inbound, I will finish that one off before taking a look at this one.

It is so great to hear people who are using my module.

kjacobsen commented 6 years ago

Hi Ben,

I think I have corrected the issue. I have created a new branch https://github.com/poshsecurity/Posh-SYSLOG/tree/RFC3164-timestampfix if you have time, it would be great if you could test out that code.

benclaussen commented 6 years ago

I use a program called SyslogWatcher and was testing a new script on Jan 2nd... Watching the logs come in from other programs, the timestamp from the Send-SyslogMessage cmdlet stuck out because of the preceding zero. Ended up digging in the code to find why. The code is clean and well written so it made it easy to diagnose 👍 image

I just tested it on the branch you referenced and it worked for me when I supplied it a timestamp of Jan 9, 2018, as well as setting my system clock to Jan 9. I would say it is good to go!

Thank you!

kjacobsen commented 6 years ago

I have pushed the fixes to master and to the PowerShell gallery.