Strange problem with time in alert

Hi.

Graylog 5.2.4. I have a problem with the time I get in the Greylog response for the event. In the e-mail that arrives, the time is ok:

Timestamp 2024-03-12T07:47:04.005+01:00
Timestamp Processing 2024-03-12T07:47:04.005+01:00

But the time in the API response is an hour earlier:

“timestamp”: “2024-03-12T06:47:04.005Z”,
“timestamp_processing”: “2024-03-12T06:49:54.213Z”

My config in System/Overview is:

Time configuration
User admin:
2024-03-12 08:03:09 +01:00
Your web browser:
2024-03-12 08:03:09 +01:00
Graylog server:
2024-03-12 08:03:09 +01:00

Alerts/Notofications/ Time zone for date/time values is set for CET

On the OS:

timedatectl:
Local time: Tue 2024-03-12 07:54:13 CET
Universal time: Tue 2024-03-12 06:54:13 UTC
RTC time: Tue 2024-03-12 06:54:13
Time zone: Europe/Warsaw (CET, +0100)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

In the server.conf:

root_timezone = CET (I tried with UTC also)
root_timezone = Europe/Warsaw

Do you have any ideas where the problem is and what else to check?
What catches my attention is that the response from the API is in UTC format (2024-03-12T06:47:04.005Z). I don’t know why or where to change it.

Additional information is as follows: if I add a new field in “Event Definitions” with: “${source.timestamp}”, this field also contains UTC time, both in the API and in the e-mail.

But when I look for the timestamp field in the log (in Search in Graylog), the field has the correct CET time

Hey @Demiurg

I think whenyou use API it goes against your indexer ES/OS which uses UTC, hence the hour difference.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.