Fortinet, syslog timestamp timezone set wrong


(Matej Rycek) #1

Hi,

i send syslog message from Fortigate 60D and the timestamp provided in the syslog message is in system’s local time (GMT +1) it means 12:00 ( 11:00 Z). Graylog interprets it as UTC which leads to the following issue:

on this picture the timestamp is set to 16:18:47.000Z, but this time is send to graylog in GMT +1 time and graylog interpret it as UTC and there is the issue if i need log from 17:18:47 i must waiting to 18:18:47. Is there any options how to solve ? because my other logs are in UTC and only this logs are in GMT +1.

my timezone:

cas

Thank you very much for your help.


(Jochen) #2

(Matej Rycek) #3

thanks for your quick answer, but i can’t figure out how to solved by this by the pipeline.

this option occurred to me, but I do not think how to fix it with pipeline.
is this possible way?
Sorry for my questions, but I do not know much about it.

rule “fortigate timestamp”
when
 true
then
  let new_timestamp = parse_date(to_string($message.date) + " " + to_string($message.time), "yyyy-MM-dd hh:mm:ss", "Europe/Prague");
  set_field("timestamp", new_timestamp);
end

(Jochen) #4

Have you actually tried to use the rule you’ve posted?


(Matej Rycek) #5

yes, i am tried but function doesn’t work. it looks like the addition of two string does not work.
is there an opportunity to tell the graylog, that the specified time is already in the zone Prague/Berlin.

Thanks for any answer.


(Jochen) #6

That’s what the concat() function is for.

Also see the following related GitHub issue:


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.