Log getting placed late in graylog

So everytime this log triggers via Cisco firepower it takes 20 mins to make it into graylog. How can i troubleshoot the hold up? I see it come into rsyslog properly and the time is correct. What could it be?

Mar  5 13:07:35 f-us3101-fp SecurityIntelligence: Protocol: TCP, SrcIP:, OriginalClientIP: ::, DstIP:, SrcPort: 36974, DstPort: 22, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside10, IngressZone: inside, DE: Primary Detection Engine (971f6924-9b97-11e6-bbab-d7d0edfkjjkjkk), Policy: Internet AC AMP Policy, ConnectType: Start, AccessControlRuleName: Unknown, AccessControlRuleAction: Block, AccessControlRuleReason: IP Block, Prefilter Policy: Unknown, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 66, ResponderBytes: 0, NAPPolicy: Intrusion Policy, DNSResponseType: No Error, Sinkhole: Unknown, IPReputationSICategory: Malware, URLCategory: Unknown, URLReputation: Risk unknown

There’s no timezone information in that message, so that Graylog automatically assumes UTC. If your servers (i. e. the syslog clients) do not run with timezone UTC, the messages will appear to “come in late” (or early, depending on your relative time offset to UTC).

Damn, ok. Thank you for getting me in the correct direction. This is the default message format that firepower sends the syslog messages. I gotta figure out a way to get tz info attached to it.

If that’s not possible, you could use the processing pipelines to change the message timestamp to the correct timezone.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.