We have an instance that is getting timestamps from the past and future on events, which I believe is causing all those indexes to stay in search when looking at the last 5 mins even.
Currently we have everything sending to central syslog server and then forwarding to Graylog. Is it possible to create a pipeline or rsyslog template that automatically timestamps each event for proper ingestion?
If you’re going to be messing with the timestamps, I would very much suggest that you also check that there’s a field left over that holds the original timestamp as provided by the sending system. You may need this in case of a security incident or some audit.