I have a problem with graylog. I have a syslog udp input. When I send a raw text message the timestamp on the message is ok. When I send a syslog message the timestamp is one hour into the future. Example:
echo -n "<15>$(date "+%b %d %H:%M:%S") $(hostname -s) TESTMESSAGE from Chris" | nc -u graylog 514
-> This message will be have a timestamp one hour into the future
echo -n "$(date "+%b %d %H:%M:%S") $(hostname -s) TESTMESSAGE from Chris" | nc -u graylog 514
-> This message will be have a valid, current timestamp
Any ideas on how to fix this? I have tried to add an extractor to the input, but no success in making it create any hits. The extractor type is “Split & Index” and the type is “convert to date type”.
I was hoping there could be another solution, because the problem seems to me, is that syslog messages are processed differently than raw text messages, when it comes to applying or converting timezone.
Any help you can give would be appreciated.