Date formats

Date formats are a nightmare.  Each event source may use a different convention, and some conventions are less than perfect.  For example, the date format used by syslog does not include a year.

Dates can also be entered in Orchids rules, by one of the following constructions:

  • _CTIME(string constant)
  • _TIMEVAL(string constant, integer constant)

The string constant is in a human-readable date format, and is parsed by the strptime() API call.  Unfortunately, the latter does not know how to parse a date without any further indication, and Orchids tries to parse it by using the following formats, one after the other.

"%a %m/%d/%Y %T %Z" US format
"%a %d %m %Y %T %Z" French format
"%a %Y-%m-%d %T %Z" European format
"%a %m/%d/%Y %T" US format
"%a %d %m %Y %T" French format
"%a %Y-%m-%d %T" European format
"%a %m/%d/%Y" US format
"%a %d %m %Y" French format
"%a %Y-%m-%d" European format
"%Y-%m-%dT%H:%M:%S" IDMEF format