I have set up a Graylog server, and the only thing it needs to monitor is a Layer 3 switch. The switch and all the different time zones in Graylog are configured the same.
The issue is that when I listen with:
sudo tcpdump -i any port 514 or port 5140 or port 1514 -nn
I receive the packets immediately as they happen. The same goes for the in/out section in the Graylog web interface—I can see the packet arriving as soon as I, for example, unplug and replug a cable.
However, in the Graylog web interface, the event is only displayed after an hour, and it also shows the timestamp as one hour later. So, if an event happens at 08:00, Graylog displays it as occurring at 09:00.
All devices are synchronized with the same NTP server, and their system times are identical.