Can't find results when using relative time, but "all time" works

Just installed Graylog (docker compose, from docker-compose/open-core/docker-compose.yml at main · Graylog2/docker-compose · GitHub), total n00b. Setup the Syslog input, forwarding log events from rsyslog. I can see the events when I click “Show received inputs” from the Inputs screen. The times look … fine? The forwarded events are in CST and in /var/log/syslog, they appear to have TZ info in them, at least, the TZ offset (ends in -0600).

There’s new log entries every few seconds, but when I use a relative time (e.g. last 5 minutes), I get no results. Same if I use an absolute time that covers … the last 5 minutes. When I switch back to all time, I see the events, and they’re in the last 5 minutes.

I’m guessing there’s some sort of UTC snafu at play, but my Google searching and searching through the community here hasn’t surfaced what my config issue might be. Any assistance is much appreciated!

Cheers.

Have you gone through this article? https://graylog.org/post/time-zones-a-loggers-worst-nightmare/

I have not! Thanks, I’ll take a look.

OK, thanks so much @Joel_Duffield - my syslog input had the TZ “Not Set” - I set it and now the ingested events are visible with a relative time. So, am I to gather from this that my rsyslog client is sending events … without a timezone, since the configuration option reads Default time zone used when no timezone detected … is there a way to get rsyslog to send a useful TZ for the events that it’s forwarding?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.