Graylog messages were showing two different timestamp values

(Ganeshbabu Ramamoorthy) #1

Hi All,

I am using Graylog 2.4.5 in my ubuntu server and I have installed metricbeats in the same server for monitoring. I am sending data through logstash output and the data was received successfully. But when I checked the data in the graylog I could see there are two timestamp fields showing in the messages,

Also I have checked in the elasticsearch mapping I couldn’t find the field Timestamp (with capital “T”) and the searching is also happening based on the capital T(Timestamp).

I did understand that +5.30hrs is adding to the timestamp value and its representing new fields as capital T (Timestamp) so by default in server.conf the timezone is UTC and I have changed the timezone to Asia/Kolkata in server.conf and restarted it.

Then also again I am getting the same response to the graylog. Please correct me if my understanding is wrong and let me know how to resolve this issue and it would be helpful.

Ganeshbabu R

(Jan Doberstein) #2

the setting of the timezone in the configuration is only the setting of the timezone for the root user. As explained in the configuration. This is used to convert the internal UTC Timestamp into the local time of that root user.

Graylog is always and ever working with UTC and if the timestamp does not contain timezone information it will assume that this timestamp without timezone information is UTC.

I do not know how metricbeat is presentin the information and what fields are created by that, so I can’t give you the answer where the first and the second one is comming from.

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.