Graylog: one hour time difference between raw and syslog message

I have a problem with graylog. I have a syslog udp input. When I send a raw text message the timestamp on the message is ok. When I send a syslog message the timestamp is one hour into the future. Example:

echo -n "<15>$(date "+%b %d %H:%M:%S") $(hostname -s) TESTMESSAGE from Chris" | nc -u graylog 514
-> This message will be have a timestamp one hour into the future

echo -n "$(date "+%b %d %H:%M:%S") $(hostname -s) TESTMESSAGE from Chris" | nc -u graylog 514
-> This message will be have a valid, current timestamp

Any ideas on how to fix this? I have tried to add an extractor to the input, but no success in making it create any hits. The extractor type is “Split & Index” and the type is “convert to date type”.

I was hoping there could be another solution, because the problem seems to me, is that syslog messages are processed differently than raw text messages, when it comes to applying or converting timezone.

Any help you can give would be appreciated.

If you use admin account in graylog web interface check if you have setup correct timezone in graylog server.conf:
root_timezone =

If you use another user, check timezone setup in user’s profile

Graylog stores messages in UTC timezone in Elastic, and shows it in user timezone defined.

Check also input setup, there is a option Allow overriding date?
Allow to override with current date if date could not be parsed?

Check also, that you use NTP on all servers, and have same timezone defined (timedatectl)

I use graylog in docker containers, all containers have the same time and timezone, as do all computers I use to send to graylog.

The timezone in graylog.conf (root_timeszone) is set to my timezone.

I tried turning on and off Allow overriding date? it did not help. It caused raw messages not to be found at all in graylog. But thanks for that tip, I had not tried that before.

In fact I discovered, other inputs I have, are also affected. I have a lot of messages dated one hour into the future.

I’m still searching for a solution. Is there anything else you would recommend I try?

Thanks for your help.

I’ve tried your command, and it worked correctly for me. I usually use newer syslog RFC 5424, which also send timezone, and I’ve neved had problem with it.

Check recommended way to send logs from linux by graylog:

Docker also uses syslog RFC 5424:

Or you can use GELF:

Thank you for your help.

I found my mistake. In the docker host the /etc/timezone file had UTC and I mapped it into the docker containers. Now that I corrected it and changed it to Europe/Berlin the timestamps have the correct time.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.