How to deal with bad timestamps and slow performance?

We have an instance that is getting timestamps from the past and future on events, which I believe is causing all those indexes to stay in search when looking at the last 5 mins even.

Currently we have everything sending to central syslog server and then forwarding to Graylog. Is it possible to create a pipeline or rsyslog template that automatically timestamps each event for proper ingestion?

how about having proper timestamps and devices that are in sync?

1 Like

that would be ideal, however we aren’t able to touch the devices producing events.

going to try the following:

template(name=“TimeRcFormat” type=“string” string= “<%pri%>%timegenerated% %HOSTNAME% %msg:1:31744%\n”)
. @GRAYLOG_IP:5514;TimeRcFormat

If you’re going to be messing with the timestamps, I would very much suggest that you also check that there’s a field left over that holds the original timestamp as provided by the sending system. You may need this in case of a security incident or some audit.

good point, we capture the full event also

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.