Nxlog Correcting Timestamp Field

All,

Past week we ran into an issue of timestamp field was incorrect. Yes, I looked at pipelines, extractors, GitHub/Forum, and there is a lot of solution. Took a couple days to look through everything that would pertain to our unique issue. Thought I share this simple solution how we corrected timestamp field from UTC to current local time from the remote device log shipper :thinking:

Overview:
Graylog located in America/Chicago. Virtual Desktops are in Rodenbach, Germany, and United Kingdom (UK). When we received these messages/logs the timestamp field is in UTC which is correct in a way but filtering out messages from a different time zones is where the issue begins.

Were using Graylog 2.4, Elasticsearch 5.8 and MongoDb 3.0 (Yes this was one of our first Graylog installations made). Unfortunately nothing on Graylog has been change in 5 years (freakin time capsule). There is two INPUT’s, Syslog UDP and Raw/Plaintext UDP and all the VDI’s run Windows OS’s. We do have Software/Hardware installations configured to secure messages/logs since we haven’t done upgrades in 5 years. Our Log shipper of choice in this environment is Nxlog that has a simple configuration and untouched also in 5 years. Yes, were in the processes up major upgrade :worried:.

Nxlog Old Configuration File:

## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
    Module      xm_syslog
</Extension>
<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>
<Output out>
    Module      om_udp
    Host        graylog.domain.com
    Port        5145
    Exec        to_syslog_snare();
</Output>
<Route 1>
    Path        in => out
</Route>

Message Received before:

I knew what we could do to resolve timestamp field issue. Since all messages/logs received are on one INPUT (Syslog UDP) this was our second problem. Unable to make major/minor configuration to this environment we had to find a different solution.

Looked into to_syslog_snare(); EXEC call, which led us to some nxlog documentation then finally found the culprit of what was adding the crappy timestamp:

image

Noticed a sentence that stated there was a newer set of RFCs for syslog called the IETF Syslog Protocol (RFCs 5424-5426) that defined a syslog standard meant to obsolete RFC 3164. We looked at the RFC and they use a timestamp that adds time zones!

The time zone isn’t the only thing that changed in the IETF format, and I didn’t know how the current input would react to having messages in the IETF, but I wanted to try anyway. Later down on the “xm_syslog” page, I found that there was a “to_syslog_ietf();” call. Using that instead of the “to_syslog_snare();” call. We edited the nxlog.conf file and restarted the service and finally started getting logs at the correct time :partying_face:

Solution was to adjust Nxlog configuration file.

## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
    Module      xm_syslog
</Extension>
<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>
<Output out>
    Module      om_udp
    Host        graylog.domain.com
    Port        5145
    Exec        to_syslog_ietf(); <--- This was  our solution
</Output>

<Route 1>
    Path        in => out
</Route>

New Messages/logs received :smiley: Sorry if the screen shot is to small but I think whom ever reads this, gets its.

It was simple as changing one line on Nxlog input section.

From: <Exec to_syslog_snare();>
To: < Exec to_syslog_ietf();>

A question was asked:

What would the difference using GELF to the configuration above in Nxlog?

Nxlog new configuration added seams to display the same amount fields as GELF.
Any suggestions to this question are more then welcome.

1 Like