I have a graylog server that is running fine for years until we have to shut it down and move to a different subnet. my root timezone is in UTC and my server time is in +8. my problem is I cannot see the latest log entry and only shows the log based on the current UTC time.
I am using graylog 2.4.6 running on docker.
my current time is 13:16 Manila time. latest entry in the screenshot is 8 hours behind.
Hello && Welcome
Couple things you can check for troubleshooting.
Navigate System/Overview make sure the Date/Time is correct under Time configuration. All three should match your +8 time zone.
Check your Graylog server for date/time insure your using the correct TimeZone.
If NTP was installed check the status.
EDIT: I forgot to ask, does your users have a setting to adjust there personal time zones in Graylog 2.4? The reason I ask, it is convenient with the newer versions of Graylog as shown below:
graylog server is in UTC
yes, users have access to change their preferred time.
My server time is +8 and I put Asia/Manila in graylog config root_timezone but the graylog server time is still in UTC.
That’s peculiar…
When you made the configuration to graylog.config did you execute a service restart.
My apologies I’m not very good with Docker.
Graylog has a default user called Admin, is this still accessible to you? or was this changed? If it wasn’t change can you logon with "Admin and recheck the timestamp issue? For user admin, it uses timezone defined in /etc/graylog/server/server.conf file, parameter root_timezone.
The reason for this is I’m wondering if only a user created has issues or its global issue.
I have also found this, another community member had a similar issue like your yours
And this I noticed was someone with Docker. Specailly this part
sudo docker-compose down
update your graylog.env with, for example America/New_York
TZ=Etc/GMT+8 <--I added this part for you.
yes, I restarted the docker container. I cannot execute docker-compose down because that will delete all data that we have.
I can’t log in to the default admin account
I understand,
I did some more research and from what I understand is its the GL server/Docker but if you got a chance to read that last post it has another ideas for you to be able to try. One being the type of Time Zone needed. I also found issues on GitHub about the Docker version you have. Sorry I can be more help
EDIT: Can you add your local files (/etc/timezone and /etc/localtime) as volume in your docker-container.
Update your docker-compose.yml with the following lines.
volumes:
- “/etc/timezone:/etc/timezone:ro”
- “/etc/localtime:/etc/localtime:ro”
So the container time is the same as on your host?
I was able to ask my colleague. the admin time configuration shows graylog server is also in UTC
So it is your Docker container that holds Graylog.
I cant think of anything else.
I updated the docker compose as ssuggested, not the time are all +8 but the data is still 8 hours late.
sorry. that seem to fix the issue. it was the old data in the future time are still showing. but when I tried to access our sites and check the logs, the time are correct. Thank you.
Could you explain Not All but data is till 8 hours late? Kind of confusing but if its not working as expected, I’m not sure.
Did you check the Date/Time inside your Docker container?
Just to clarify, when you see the timezone incorrect from the Graylog Server Time configuration section this would be Graylog is picking up that date/time/zone. Since your using Docker I would assume its from your container date/time.
On then dont mind my last post 
AWSOME!!!
And i dont know anything about Docker HAHA, Get a chance mark this as solved, Glad I could help 
I shouldn’t say anything 
yes, thanks a lot. I just need to wait 8 hours so i can already have clean data on my logs
Nice, I’ve been wanting to learn more about Docker and this gave me the opportunity to do so. Thank you for letting me help you.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.