Event timestamp vs Graylog node processing timestamp

(John Buchanan) #1

Is it safe to say that the timestamp field for a event is most accurately stated as the timestamp of when the Graylog node processed that event? Not the time of receipt of the event, by Graylog, nor the time the event was generated on the originating system.

During spikes in incoming events our nodes might fall behind for a few minutes to a few hours, queuing up on the disk journal. Example here being firewall logs during DDoS attack, attempting to do research we realized that the timestamp field does not match what is in the message/full_message body, as sent over from the Cisco ASA. It reflects the time at which one of our Graylog nodes finally processed and indexed the message. This makes after-action research much more difficult.

Can I override the timestamp field with say a grok or regex extractor from message or full_message? I put one in place earlier today but the timestamp field still reflects processed time on the Graylog node, not timestamp from the firewall in the message/full_message fields.

(Jan Doberstein) #2

He @jebucha

you left out how you deliver the messages from your devices - but I guess that it is syslog and you do not modify the messages on the devices?

I have written something about Cisco messages and provide some help over here https://jalogisch.de/2018/working-with-cisco-asa-nexus-on-graylog/

Should your Timestamp not be readable Graylog will fill in now - the point of processing - what is not accurate as you already seen.

This can be fixed with a processing pipeline (for example) - but the timestamp needs to be accurately formatted. Just see rules in the above blog posting.

(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.