Hello,
Since I updated Graylog I have problems with time. In fact, now I have 2 differents times when I receive logs :
I have the same problem on my differents inputs:
- Syslog TCP on port 5514, 5513
- Gelf TCP on port 12201
I have note that the time configuration of the server is not the same :
Thanks to help me
Why exactly you opened a new topic and did not just move on in the old?
I don’t have timezone information in the timestamp.
I update from 2.4.5 to 2.4.6
with no timezone information Graylog assume that the input timezone is UTC.
So I have to get timezone in the rsyslog configuration of the other server
that would be the easiest way to solve it at the sender.
Yes I try to change the format with rsyslog but I have already the same problem.
I have try to use different template like that :
$template RFC3164fmt,“<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%”
Do you have an idea ?
Because it’s not good when I receive log, because the timestamp it’s not good time.
Thanks in advance
Because it’s not possible to configure directly on the Graylog server.
Thanks for your help
you might find this post / pipeline rule helpful to correct the time of message with a pipeline
Yes but if I doing a rule with pipeline, I think that performances are not very good.
Do you have an example for change date with pipeline ?
Thanks in advance
in the linked post is one rule that does that.
thanks but it doesn’t works
I have create this pipeline
rule "timestamp_now+2"
when
true
then
let new_date = parse_date( to_string($message.timestamp),"yyyy-MM-dd HH:mm:ss.SSS","Europe/Paris");
set_field("timestamp", new_date);
end
And I’ve this error message from input :
For rule 'timestamp_now+2': In call to function 'parse_date' at 5:15 an exception was thrown: Invalid format: "2018-08-31T14:42:07.000+02:00" is malformed at "T14:42:07.000+02:00"
Do you have an idea ?
you give the rule the information that your timestamp is looking: yyyy-MM-dd HH:mm:ss.SSS but it is actually yyyy-MM-ddTHH:mm:ss.SSSX(should work this way)
Thanks for information.
I try to use this
When I try with your solution it’s doesn’t works. In fact I have this message in my logs :
For rule 'timestamp_now+2': In call to function 'parse_date' at 5:15 an exception was thrown: Illegal pattern component: T
When I delete the T I have this error message:
For rule 'timestamp_now+2': In call to function 'parse_date' at 5:15 an exception was thrown: Illegal pattern component: X
I try to use this pipeline :
rule "timestamp_now+2"
when
true
then
let new_date = parse_date( to_string($message.timestamp)," yyyy-MM-dTHH:mm:ss.SSSX","Europe/Paris");
set_field("timestamp", new_date);
end
Do you have an idea ?
I try to use an other element that I see on the forum :
let new_timestamp = parse_date(to_string($message.log_timestamp), “yyyy-MM-dd HH:mm:ss,SSS”, “AU”, “Australia/Perth”);
But It’s doesn’t works, I have a problem with this :
For rule 'timestamp_now+2': In call to function 'parse_date' at 5:20 an exception was thrown: Invalid format: ""
Do you have an idea ?
Thanks in advance