Date formats are a nightmare. Each event source may use a different convention, and some conventions are less than perfect. For example, the date format used by syslog does not include a year.
Dates can also be entered in Orchids rules, by one of the following constructions:
_CTIME(string constant)_TIMEVAL(string constant,integer constant)
The string constant is in a human-readable date format, and is parsed by the strptime() API call. Unfortunately, the latter does not know how to parse a date without any further indication, and Orchids tries to parse it by using the following formats, one after the other.
"%a %m/%d/%Y %T %Z" |
US format |
"%a %d %m %Y %T %Z" |
French format |
"%a %Y-%m-%d %T %Z" |
European format |
"%a %m/%d/%Y %T" |
US format |
"%a %d %m %Y %T" |
French format |
"%a %Y-%m-%d %T" |
European format |
"%a %m/%d/%Y" |
US format |
"%a %d %m %Y" |
French format |
"%a %Y-%m-%d" |
European format |
"%Y-%m-%dT%H:%M:%S" |
IDMEF format |