77c3564942
* website: add six product articles * images * Website: add article images * add image caption styles * Update articles/get-and-stay-compliant-across-your-devices-with-fleet.md * Update articles/get-and-stay-compliant-across-your-devices-with-fleet.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/apply-byod-to-soothe-supply-chain-pain.md * Update articles/correlate-network-connections-with-community-id-in-osquery.md * Update articles/correlate-network-connections-with-community-id-in-osquery.md * Update articles/correlate-network-connections-with-community-id-in-osquery.md * Update articles/using-elasticsearch-and-kibana-to-visualize-osquery-performance.md * Update articles/using-elasticsearch-and-kibana-to-visualize-osquery-performance.md * Update articles/using-elasticsearch-and-kibana-to-visualize-osquery-performance.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md * Update articles/work-may-be-watching-but-it-might-not-be-as-bad-as-you-think.md Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
3.1 KiB
Converting unix timestamps with osquery
Human readable timestamps
Unix timestamps can be confusing for even the smartest Time Lord.
If you are anything like me, and unix timestamps leave you thinking about the mysterious numbers in Lost, you’re going to want to convert them into something more human friendly. Running your timestamp through any number of online converters is one way to go, but it’s a clunky process.
Hmm… 10800? That’s Thursday, January 1, 1970 3:00:00 AM, if I’m not mistaken.
Thankfully, we can easily convert unix timestamps directly in osquery:
SELECT
unixtime,
datetime(unixtime, 'unixepoch') AS timestamp
FROM
(SELECT 1623366772 AS unixtime);
unixtime = 1623366772
timestamp = 2021-06-10 23:12:52
The above query returns the time in UTC, but what if we want to get the local timestamp for the system being queried?
SELECT
datetime(unixtime, 'unixepoch') AS timestamp,
datetime(unixtime, 'unixepoch', 'localtime') AS local_timestamp FROM
(SELECT 1623366772 AS unixtime);
timestamp = 2021-06-10 23:12:52
local_timestamp = 2021-06-11 8:12:52
We can take this further by baking this idea into any of our queries. Let’s run a simple query to get all running processes on our host.
SELECT
name, cmdline, start_time
FROM
processes
As you can see, we have start_time listed in unix time again.
So let’s augment our query with the datetime line from before to give us a more human friendly output for start_time.
SELECT
name, cmdline,
datetime(start_time, 'unixepoch') AS start_time
FROM
processes
And finally, as before, we can of course output that data as the local time for our host by you guessed it, adding localtime to our query.
SELECT
name, cmdline,
datetime(start_time, 'unixepoch', 'localtime') AS start_time
FROM
processes
So there we go. Simple, human readable timestamps with osquery.
Could this post be more helpful?
Let us know if you can think of any other example scenarios you’d like us to cover.