I still have issues with timestamps. I don’t understand why it gives me +2. I just want the original timestamp to show and the system should not modify anything.
I have created a (working) pipeline because of previous topic i created. This is the result.
But i still see:
Why would the system show me my timezone timestamp? That is so not logical…
I want to see the timestamp of the message. Not the timestamp of the message modified to my current timezone.
Rule on my pipeline:
rule "fortigate timestamp"
when
has_field("devname") && has_field("date") && has_field("time")
then
let build_message_0 = concat(to_string($message.date), " ");
let build_message_1 = concat(build_message_0, to_string($message.time));
let new_timestamp = parse_date(value:to_string(build_message_1), pattern:"yyyy-MM-dd HH:mm:sss", timezone:"Europ/Amstedam");
set_field("timestamp", new_timestamp);
set_field("Timestamp", new_timestamp);
set_field("test_timestamp", new_timestamp);
End
Maybe i need to wait for 2 hours for it to catch up but changing to absolute time and going 2 hours or more in the future still shows wrong messages.
According to my old topic, this should have been fixed in 3.0
But im on Graylog 3.0.2+1686930
-edit-
Since the devices in question are already in TZ Europe/Amsterdam, should i change the new timestamp to UTC first? And then i get correct timestamps?.. thats not logical either but…
I think this is my solution (created new Indice to put the messages in). Also read somehwere that using RAW TCP input might help, that wasn’t the case. Using SYSTLOG TCP port 30000.
Created a stream for my fortigates (SYSLOG TCP 30000)
Created a pipeline for this stream
Set “Continue processing on next stage when” to any
Use the rule Epoch Convert
rule “Epoch Convert”
when
has_field(“devname”) && has_field(“date”) && has_field(“time”) && has_field(“eventtime”)
then
let epoch = parse_date(“1970-01-01 00:00:00.000Z”, “yyyy-MM-dd’ 'HH:mm:ss.SSSZ”);
let ts_seconds = seconds(to_long($message.eventtime));
set_field(“epoch_timestamp”, epoch + ts_seconds);
set_field(“timestamp”, epoch + ts_seconds);
End
Now my messages show up correct for my timezonze. FortiGates are configured for Europe/Amsterdam, so is my timezone:
You should always store the timestamps as UTC, for all of your systems regardless of the local timezone - This gives you consistent data.
The console will then show you the timestamp in your local zone, based on your profile preferences - Click on your name, then Edit Profile then edit your timezone.
What you can see from mine is the @timestamp (which is what is actually written to the index) is UTC - But the “timestamp” column is calculated, based on my local timezone (+10) - If i wanted to see/search on that in +2, UTC or any other timezone, I just need to edit my profile.
That way, when you search for “what happened in the last 8 hours globally”, you will see results from all your devices based on the true last 8 hours, regardless of what timezone they are in.
