Not sure if this was answered already or not but looks liek you are missing the %w for year. Look below for the answer.
Device Timestamps
Device timestamps are specified as part of a header definition, using the variablesdevts. There are twoways to specify a timestamp format:
• Standard predefined timestamp format
• Timestamps can be defined by a user specified format string.
Standard Predefined Timestamps
There are two predefined timestamps:
• MDTS (Month, Day, TimeStamp)
• MDYTS (Month, Day, Year, TimeStamp)
Here are the standard predefined time stamp components:
Timestamp Component Definition
Mmm Abbreviation for month of the year (case-sensitive). Valid values
are:
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Dd Day of the month. Valid values are:1through 31.Hh Hour of the day. Valid values are: 00 through 23.Mm Minute of the hour. Valid values are:
00through59.Ss Second of the minute. Valid values are: 00 through 59.
Yyyy Year. Valid values are: 1970 through current year.
MDTS (Month, Day, TimeStamp) Predefined Timestamp Formats
TheMDTS (dmonth, dday, dtime)format is:Mmm dd hh:mm:ss.Here is an example of MDTS in a log (device’s timestamp is in bold font):
Aug 18 12:48:30 [120.2.40.1] OCT 31 15:59:05 1/1 149 VRRP-4: Master is 10.20.30.40, VRID:1
The header definition for this log message is:
<HEADER id1="0001" id2="0001"
devts=”MDTS(dmondth,dday,dtime)”
content="<dmonth> <dday> <dtime> <slot>/<port> <msgcount> <messageid>-<level>: <!payload>" />
The variabledevts=”MDTS(dmondth,dday,dtime)”identifies that a device timestamp exists in the header,and the timestamp’s format is MDTS. The function’s input <args> must be defined in the header’s content
string.
MDYTS (Month, Day, Year TimeStamp) Predefined Timestamp Format
TheMDYTS (Month, Day Year Timestamp)format is:Mmm dd yyyy hh:mm:ss.Here is an example of MDYTS in a log (device’s timestamp is in bold font):
Aug 10 15:45:38 [10.10.20.1]Aug 10 2004 15:44:51: %PIX-5-304001: 10.10.20.128 Accessed URL205.188.135.105:/redirects/inclient/AIM_UAC.adp?magic=93167109&width=120&height=90
The header definition for this log message is:
HEADER id1="0003" id2="0003"
devts="MDYTS(month,day,year,time)”
content="<month> <day> <year> <time> %PIX-<level>-<messageid>: <!payload>" />
The variabledevts="MDYTS(month,day,year,time)”identifies that a device timestamp exists in the header,and the timestamp’s format is MDYTS. The function’s input <args> must be defined in the header’s
content string.
Non-Standard TimeStamp, TS
Non standard timestamps are defined by a user-specified timestamp format string. The format string
contains format codes, which describes to UDS how to process the timestamp string.
Here are the format codes for specifying a timestamp layout.:
ASCII Date Component Formatting code Example
Full Month Name %R January, JANUARY
Abbreviated Month Name %B Jan, JAN
Numeric Month %M 01 – 12
Numeric Month Day %D 01 – 31
Hour (24 hour period) %H 00 – 23
Hour (12 hour period) %I 00 – 11
AM/PM (Needed by %I) %P AM or PM
A.M./P.M. (Needed with %I) %Q A.M. or P.M.
Minutes %T 00-59
Seconds %S 00 – 59
Year (this century) %Y 00 – 99
Year %W 0000 – 9999
Julian Day %J 001-364
%% ASCII Percent
The following log message contains a non-standard format device timestamp (timestamp is in bold font):
Aug 18 12:51:04 [110.110.7.1] id=firewall sn=004010103026
time="2002-01-01 14:24:46" fw=10.10.100.1 pri=6 c=1024 m=4 SonicWALL activated
A user specified timestamp format for this log message is:
<HEADER id1="0001" id2="0001"
devts="'TS('%W-%M-%D %H:%T:%S',yearMonthDay,time)"
content="id=<id> sn=<sn> time="<yearMonthDay> <time>" fw=<fw> pri=<pri> c=<c> m=<messageid><!payload>" />
The TS function’s input <args> must be defined in the header’s content string. The TS function supports up
to a maximum of 10 input <args>.
The prototype for the TS function is:TS(formatString, var1, …). The…indicates that the TS functionsupports a variable number of input arguments. This allows the timestamp to be spread over an unknown
number of <args>. In the example, the timestamp is spread over 2 input <args>.
