louis
1
For some IMHO stupid reason, (pipeline) rule changes:
- do become effective in the simulator intermediately … however
- do take, in my case one hour, before the changed rules are processed
That is NOT OK of course.
From the internet I get the impression that it has something to do with time zone’s. However what ever the reason is, it should simple not occur.
For info:
- I am running the very latest version of graylog and opensearch
- graylog: root_timezone = Europe/Amsterdam
- open search: I did not change time zone settings in Open Search
- I did not change time zone in MongoDB
- linux (ubuntu) time is UTC
In my opinion this behavoir is a bug, I can not see it another way. But apart from that I need help to solve the problem.
Config changes should of course become effective intermediately.
What are the pipeline rules doing? Is this a single Graylog node, or multiple nodes in a cluster?
louis
3
I found the problem. The alarms where displayed on my pfSense system in local time, but send to graylog in utc.
So the time on the graylog dashboard did match the time in the message, which was not the expected local time.
I fixed it by adding the time zone in the graylog input. That solved the problem.
The graylog timestamp now shows the local time and the alarms are not shown a hour delayed.
Note that I am still building the ruleset and dashboard. That is also why I did not understand the problem in first instance
1 Like
system
(system)
Closed
4
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
