The timestamps associated with the logs grabbed by the Cisco IDS XML Service appear to be based on the time the service pulled them from the IDS device, rather than the unix timestamp present on each log line. The unix timestamp in the logs are not quite a traditional unix timestamp in that they have some additional digits (only the first ten digits are the unix timestamp). Below is an example log line. Notice it also includes the timezone to correlate the proper time.
%IDSSXML-6-2000: ICMP Echo Reply;informational,200.0.0.1,,100.0.0.1,,S1,1206496617566109000,CDT,0,sensorName,null,null,null,null,null,null,null,Attacker,200.0.0.1,Victim,100.0.0.1,Other,1193247818885994341,null,sensorApp,337,-300,null,CDT,null,2000,0,null,null,null,null,null,
Thanks,
Colin Grady
