Incorrect time in log


(alexis) #1

Hello,

Since I updated Graylog I have problems with time. In fact, now I have 2 differents times when I receive logs :

I have the same problem on my differents inputs:
- Syslog TCP on port 5514, 5513
- Gelf TCP on port 12201

I have note that the time configuration of the server is not the same :

Capture2

Thanks to help me


(Jan Doberstein) #2
  • from what Version did you update?
  • what is the server time of the sending server?
    • does the sending server include timezone information in the timstamp?
  • what is the timezone of the user you are using?
  • did you change anything else?

(Jan Doberstein) #3

Why exactly you opened a new topic and did not just move on in the old?


(alexis) #4

I don’t have timezone information in the timestamp.

I update from 2.4.5 to 2.4.6


(Jan Doberstein) #5

with no timezone information Graylog assume that the input timezone is UTC.


(alexis) #6

So I have to get timezone in the rsyslog configuration of the other server


(Jan Doberstein) #7

that would be the easiest way to solve it at the sender.


(alexis) #8

Yes I try to change the format with rsyslog but I have already the same problem.

I have try to use different template like that :

$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"


(alexis) #9

Do you have an idea ?

Because it’s not good when I receive log, because the timestamp it’s not good time.

Thanks in advance


(alexis) #10

Because it’s not possible to configure directly on the Graylog server.

Thanks for your help


(Jan Doberstein) #11

you might find this post / pipeline rule helpful to correct the time of message with a pipeline


(alexis) #12

Yes but if I doing a rule with pipeline, I think that performances are not very good.


(alexis) #13

Do you have an example for change date with pipeline ?

Thanks in advance


(Jan Doberstein) #14

in the linked post is one rule that does that.


(alexis) #15

thanks but it doesn’t works


(alexis) #16

I have create this pipeline

rule "timestamp_now+2"
when
true
then
let new_date = parse_date( to_string($message.timestamp),"yyyy-MM-dd HH:mm:ss.SSS","Europe/Paris");
set_field("timestamp", new_date);
end

And I’ve this error message from input :

For rule 'timestamp_now+2': In call to function 'parse_date' at 5:15 an exception was thrown: Invalid format: "2018-08-31T14:42:07.000+02:00" is malformed at "T14:42:07.000+02:00"

Do you have an idea ?


(Jan Doberstein) #17

you give the rule the information that your timestamp is looking: yyyy-MM-dd HH:mm:ss.SSS but it is actually yyyy-MM-ddTHH:mm:ss.SSSX(should work this way)


(alexis) #18

Thanks for information.

I try to use this


(alexis) #19

When I try with your solution it’s doesn’t works. In fact I have this message in my logs :
For rule 'timestamp_now+2': In call to function 'parse_date' at 5:15 an exception was thrown: Illegal pattern component: T

When I delete the T I have this error message:
For rule 'timestamp_now+2': In call to function 'parse_date' at 5:15 an exception was thrown: Illegal pattern component: X

I try to use this pipeline :

rule "timestamp_now+2"
when
true
then
let new_date = parse_date( to_string($message.timestamp)," yyyy-MM-dTHH:mm:ss.SSSX","Europe/Paris");
set_field("timestamp", new_date);
end

Do you have an idea ?


(alexis) #20

I try to use an other element that I see on the forum :

let new_timestamp = parse_date(to_string($message.log_timestamp), “yyyy-MM-dd HH:mm:ss,SSS”, “AU”, “Australia/Perth”);

But It’s doesn’t works, I have a problem with this :
For rule 'timestamp_now+2': In call to function 'parse_date' at 5:20 an exception was thrown: Invalid format: ""

Do you have an idea ?

Thanks in advance