Logs have time travelled into the future

Dear All,

I have a Palo Alto firewall log source using the plugin in the integration package on Graylog 3.1.2.

The log source has an ntp time source set to JST, however logs from the log source are in the future by nine hours therefore the relative search is broken and you can only use the absolute search with the time settings set to nine hours ahead.

No other log sources are suffering the same issue. I have also tried with both the admin user and another user set to JST and the issue still exists with the source.

Am I correct that the log source is most likely the problem i.e log source is taking JST NTP time and further advancing again by nine hours?Anyone here encountered this before?

Cheers

Jake Smith

Hello @Magneton!

I have encountered a similar issue. In our case the source said that it was sending the timezone but Graylog clearly showed in the message that it was not receiving an offset. I corrected it with a pipeline to shift messages from that source into the correct timezone.

Try to extract timestamp to own field and after that fix timezone with pipeline rule:

rule "pa_fix_timestamp"
when
  has_field("pa_timestamp")
then
    let new_time = parse_date(value: to_string($message.pa_timestamp), pattern:"yyyy-MM-dd HH:mm:ss", timezone:"Europe/Bratislava");
    set_field("timestamp", new_time);
end

You your own pattern for time and date…
https://docs.graylog.org/en/3.3/pages/pipelines/functions.html#parse-date

Thanks all,

That is what I did and move them back to correct issue.

Cheers

Jake

1 Like