The analyzer parses rfc3339 format timestamps from syslog entries. Depending on whether RSYSLOG_FileFormat or RSYSLOG_TraditionalFileFormat is used the format will vary.
Our playbooks set RSYSLOG_FileFormat which produce 3339 entries, so the code is currently shaped around that. Expanding that to other potential formats is the gist of this issue.
There may be other ways to configure the format, but this example proves enough that we need to look into support for other formats.
The analyzer parses rfc3339 format timestamps from syslog entries. Depending on whether
RSYSLOG_FileFormatorRSYSLOG_TraditionalFileFormatis used the format will vary.Our playbooks set
RSYSLOG_FileFormatwhich produce 3339 entries, so the code is currently shaped around that. Expanding that to other potential formats is the gist of this issue.There may be other ways to configure the format, but this example proves enough that we need to look into support for other formats.
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html#reserved-template-names