Add RSYSLOG_SyslogProtocol23Format timestamp format, bugfix zone name was printed in base64

libbsm.go

@@ -127,7 +127,7 @@ const (
 	// Display control
 	PRT_ONELINE        = 1
 	PRT_NORESOLVE_USER = 2
-	PRT_TIMESTAMP      = 4
+	PRT_TIMESYSLOG23   = 4
 	PRT_JSON           = 8
 )
 
@@ -594,8 +594,8 @@ print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
 */
 func (h *Header32) Print(file *os.File, delimiter string, flags int) {
 	var timeval string
-	if PRT_TIMESTAMP == flags&PRT_TIMESTAMP {
-		timeval = strconv.Itoa(int(h.S))
+	if PRT_TIMESYSLOG23 == flags&PRT_TIMESYSLOG23 {
+		timeval = time.Unix((int64)(h.S), 0).Add(time.Millisecond * (time.Duration)(h.Msec)).Format("2006-01-02T15:04:05.000Z07:00")
 	} else {
 		t := time.Unix((int64)(h.S), 0)
 		timeval = t.Format(time.UnixDate)
@@ -607,7 +607,23 @@ func (h *Header32) Print(file *os.File, delimiter string, flags int) {
 	}
 
 	if flags&PRT_JSON == PRT_JSON {
-		printable := struct {
+		var printable interface{}
+		if PRT_TIMESYSLOG23 == flags&PRT_TIMESYSLOG23 {
+			printable = struct {
+				Size    uint32 `json:"size"`           // Record byte count
+				Version uint8  `json:"version"`        // version # (uchar)
+				E_type  string `json:"event_type"`     // Event type
+				E_mod   uint16 `json:"event_modifier"` // Event modifier
+				Ts      string `json:"timestamp"`      // Seconds of time converted to RSYSLOG_SyslogProtocol23Format
+			}{
+				Size:    h.Size,
+				Version: h.Version,
+				E_type:  evdesc,
+				E_mod:   h.E_mod,
+				Ts:      timeval,
+			}
+		} else {
+			printable = struct {
 				Size    uint32 `json:"size"`           // Record byte count
 				Version uint8  `json:"version"`        // version # (uchar)
 				E_type  string `json:"event_type"`     // Event type
@@ -622,6 +638,7 @@ func (h *Header32) Print(file *os.File, delimiter string, flags int) {
 				Ts:      timeval,
 				Msec:    h.Msec,
 			}
+		}
 
 		j, err := json.Marshal(printable)
 		if err != nil {
@@ -2972,6 +2989,22 @@ func (z *ZoneName) LoadFromBinary(rdr *bufio.Reader) error {
 }
 
 func (z *ZoneName) Print(file *os.File, delimiter string, flags int) {
+	if flags&PRT_JSON == PRT_JSON {
+		printable := struct {
+			Name   string `json:"name"`
+		}{
+			Name:   string(z.Zone),
+		}
+		j, err := json.Marshal(printable)
+		if err != nil {
+			// TODO
+			return
+		}
+		fmt.Fprintf(file, "\"zone\":")
+		fmt.Fprintf(file, "%s", j)
+		// ZoneName is always followed by something
+		fmt.Fprintf(file, ",")
+	} else {
 		fmt.Fprintf(file, "zone%s%s", delimiter, z.Zone)
 		if 0 == (flags & PRT_ONELINE) {
 			fmt.Fprintf(file, "\n")
@@ -2979,6 +3012,7 @@ func (z *ZoneName) Print(file *os.File, delimiter string, flags int) {
 			fmt.Fprintf(file, "%s", delimiter)
 		}
 	}
+}
 
 
 // From sys/bsm/audit_record.h

main.go

@@ -33,7 +33,7 @@ import (
 )
 
 const (
-	version = "5.9.9a"
+	version = "5.9.9b"
 )
 
 var (
@@ -48,12 +48,13 @@ func main() {
 	var flags int
 	var oneLine bool
 	var noUserResolve bool
-	var timestamp bool
+	var syslog23 bool
 	var json bool
 
 	pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line. If this option is not specified, every token is displayed on a different line.")
 	pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms.")
 	pflag.BoolVarP(&json, "json", "j", false, "Print compact json")
+	pflag.BoolVarP(&syslog23, "syslog23", "s", false, "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output.")
 	pflag.BoolVarP(&showVersion, "version", "V", false, "Show version then exit")
 
 	pflag.Parse()
@@ -68,8 +69,8 @@ func main() {
 	if noUserResolve {
 		flags = flags + PRT_NORESOLVE_USER
 	}
-	if timestamp {
-		flags = flags + PRT_TIMESTAMP
+	if syslog23 {
+		flags = flags + PRT_TIMESYSLOG23
 	}
 	if json {
 		flags |= PRT_JSON