Normal behavour if you have problem with timestamps.
- Check your device and graylog uses NTP synchronized time
- Check that you use correct timezone in device
- Check that you use correct timezone in Linux in graylog box
Run commandtimedatectland check fields Timezone and Local Time, Timezone should be your real timezone, and Local Time should be your actual time. - If you don’t have correct timezone in graylog box chage it:
Run commandsudo timedatectl set-timezone "Europe/Bratislava"after that reboot graylog box (Change"Europe/Bratislava"to your real timezone) - If you login to graylog web interface with user admin, check correct timezone in server.conf (It can’t be updated in web interface for user admin):
sudo vim /etc/graylog/server/server.conf
Find lineroot_timezone =
and change it to your real timezone, for exampleroot_timezone = Europe/Bratislava
After that reboot graylog service using command:sudo systemctl restart graylog-server - If everything is correct (points 1-5), check logs in
System-Inputand clickShow messages - Fortigate uses 2 separate field to setup date and time, use can use this pipeline rule to fix it:
rule "fortigate_timestamp"
when
has_field("devname") AND has_field("date") AND has_field("time")
then
let build_message_0 = concat(to_string($message.date), " ");
let build_message_1 = concat(build_message_0, to_string($message.time));
let new_time = parse_date(value: build_message_1, pattern:"yyyy-MM-dd HH:mm:ss", timezone:"Europe/Bratislava");
set_field("timestamp", new_time);
end
Hope this helps.