We have an instance that is getting timestamps from the past and future on events, which I believe is causing all those indexes to stay in search when looking at the last 5 mins even.
Currently we have everything sending to central syslog server and then forwarding to Graylog. Is it possible to create a pipeline or rsyslog template that automatically timestamps each event for proper ingestion?
how about having proper timestamps and devices that are in sync?
that would be ideal, however we aren’t able to touch the devices producing events.
going to try the following:
template(name=“TimeRcFormat” type=“string” string= “<%pri%>%timegenerated% %HOSTNAME% %msg:1:31744%\n”)
. @GRAYLOG_IP:5514;TimeRcFormat
If you’re going to be messing with the timestamps, I would very much suggest that you also check that there’s a field left over that holds the original timestamp as provided by the sending system. You may need this in case of a security incident or some audit.
good point, we capture the full event also
