a new dhcp server delivering it’s syslog messages to graylog. With tcpdump I see the packets arriving. Decoded with wireshark they are looking like this:
<30>Jul 25 10:47:37 dhcp dhcpd: DHCPACK on x.x.x.x to 00:50:56:xx:xx:xx (name) via eth0
<27>Jul 25 10:47:38 dhcp dhcpd: DHCPDISCOVER from a0:63:91:xx:xx:xx via x.x.x.x: network x.x.x.x/23: no free leases
<30>Jul 25 10:47:38 dhcp dhcpd: DHCPINFORM from x.x.x.x via x.x.x.x
They are hitting the right port. Other servers are delivering the messages the same way and are shown. Any idea why they are not shown?
maybe because of the missing timezone information they are not displayed at the “expected” time? Cause Graylog see timestamp without the information about a timezone as UTC …
Good guess Is there a way to correct the default timezone if there is non seen? I mean this is explaining a lot of trouble I faced with various servers…
the possible best solutions are:
- fixing the sender to include a timestamp
- use one specific per Input per timezone and redirect the servers in that timezone to that input and use the extractors to correct that
- use the processing pipeline to decide on a per host base if that correction need to be done and how.
I would use the third option as this is the most flexible one. That way is described quite a few times in this community and the search will help you!
I fixed it by adding
root_timezone = CET
root_timezone - * The time zone setting of the root user. See this list of valid time zones. Default is UTC.
You use the
admin user and the display of the time wasn’t correct?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.