Description of your problem

For a few of our switches, messages are logged several hours later than they were sent.
Cisco catalyst 6500 and nexus 3548 switches.

The timestamp is also changed when the message is logged.
Look at the full message timestamp, and the timestamp logged by graylog:

delayed-message1175×506 40.4 KB

Description of steps you’ve taken to attempt to solve the issue

Checked if the messages actually arrive at the graylog server using tcpdump (they do).
Checked overall status of the installation, doesn’t seem to be missing any ressources.

memory heap710×104 6.74 KB

utilization716×106 9.85 KB

Operating system information

Ubuntu 18.04

Package versions

• Graylog 4.0.5-1
• MongoDB 4.0.23
• Elasticsearch 7.10.2
• Service logs, configuration, and environment variables: Please request any relevant logs

Forgot to add, timezones seem to be fine (although this seems to be a time issue, since messages appear in graylog exactly 7 hours after they’re recieved).

Mayby graylog interpret ECST as Ecuador Summer Time, which is UTC-5. If you add your UTC+2 timezone is -7 hour difference.

So you probably wrongly configured your cisco devices? Instead of CEST you used wrong name ECST by mistake?

Correct setting for CEST (UTC+2) for cisco IOS:

clock timezone CET +1 0
clock summer-time CEST recurring last Sun Mar 02:00 last Sun Oct 03:00

Correct setting for CEST (UTC+2) for cisco nexus:

clock timezone CET 1 0
clock summer-time CEST 5 Sun Mar 02:00 5 Sun Oct 03:00 60

Nexus

Configuring the Time Zone

Configuring Summer Time (Daylight Saving Time)

Wow, thanks! would’ve never caught that

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.