I have a problem with graylog. I have a syslog udp input. When I send a raw text message the timestamp on the message is ok. When I send a syslog message the timestamp is one hour into the future. Example:
echo -n "<15>$(date "+%b %d %H:%M:%S") $(hostname -s) TESTMESSAGE from Chris" | nc -u graylog 514
-> This message will be have a timestamp one hour into the future
echo -n "$(date "+%b %d %H:%M:%S") $(hostname -s) TESTMESSAGE from Chris" | nc -u graylog 514
-> This message will be have a valid, current timestamp
Any ideas on how to fix this? I have tried to add an extractor to the input, but no success in making it create any hits. The extractor type is “Split & Index” and the type is “convert to date type”.
I was hoping there could be another solution, because the problem seems to me, is that syslog messages are processed differently than raw text messages, when it comes to applying or converting timezone.
I found my mistake. In the docker host the /etc/timezone file had UTC and I mapped it into the docker containers. Now that I corrected it and changed it to Europe/Berlin the timestamps have the correct time.