Supported Date Parsing Formats
When collecting Flat File Log Sources the LogRhythm agent attempts to read a timestamp for each log in the file based on the configuration of the Date Parsing Format. The Date Parsing format is a psedo-regex which is converted by the LogRhythm System Monitor Agent on collection. An important note of difference is that the Windows LogRhythm Agent converts to .NET regex where as the *NIX agent converts to POSIX. All Fields other than those listed in the table below are interpreted as LITERAL characters and do not need to be escaped.
When the timestamp is not parsed correctly or there is no timestamp present the log will be timestamped with the current time when the log line was collected.
Field Name | Date Format Tag (case sensitive) | Example | .NET Regex - Windows Agent | POSIX - *NIX Agent |
|---|---|---|---|---|
Numeric Month | <M> | 4 | ([ ]*[0-9]{1,2}) | [[:space:]]*([[:digit:]]{1,2}) |
3 Character Month | <MM> | Feb | ([a-zA-Z]{3})") | ([[:alpha:]]{3}) |
Full Month Name | <MMM> | February | ([a-zA-Z]{3,9}) | ([[:alpha:]]{3,9}) |
Month Day as Digit | <d> | 23 | ([ ]*[0-9]{1,2}) | [[:space:]]*([[:digit:]]{1,2}) |
3 Character Day | <DD> | Mon | ([a-zA-Z]{3}) | ([[:alpha:]]{3}) |
Full Day Name | <DDD> | Monday | ([a-zA-Z]{6,9}) | ([[:alpha:]]{6,9}) |
Numeric Year without Century | <y> | 24 | ([0-9]{2}) | ([[:digit:]]{2}) |
Numeric Year with Century | <yy> | 2024 | ([0-9]{4}) | [[:space:]]*([[:digit:]]{4}) |
Hour | <h> | 10 | ([ ]*[0-9]{1,2}) | [[:space:]]*([[:digit:]]{1,2}) |
Minute | <m> | 30 | ([ ]*[0-9]{1,2}) | [[:space:]]*([[:digit:]]{1,2}) |
Second | <s> | 45 | ([ ]*[0-9]{1,2}) | [[:space:]]*([[:digit:]]{1,2}) |
An AM/PM Indicator | <t> | AM | ([aApPmM]{2}) | ([aApPmM]{2}) |
Fractions of a second | <f> | 555 | ([ ]*[0-9]{1,7}) | [[:space:]]*([[:digit:]]{1,6}) |
Ordinal Day (Julien Date) | <OD> | 24023 | ([ ]*[0-9]{5,7}) | ([[:digit:][:space:]-]{5,8}) |
Unix Time (Ticks) | <unix> | 638416244430000000 | \\d{10,13} | ([[:digit:]]+) |
UTC Offset | <utcoffset> | +05:50 | ([ ]*[-\+](?:(?:\d{2}:\d{2}|\d{4}|\d{2})(?![:\d]{1}))) | [[:space:]]*([+|-]{1}([0-9]{2}:[0-9]{2}|[0-9]{4}|[0-9]{2}[^0-9])) |
UTC | <UTC> | N/A | N/A - If present interpret time as UTC | N/A - If present interpret time as UTC |
Investigate what this means, windows only? Or does the linux agent have something to handle this?:
Reserved regex characters ^ . [ $ ( ) | * + ? { \ that appear as literals in the date must be escaped with \