Synchronization issue on Graylog

50m1a · February 22, 2024, 10:57pm

Hey Community,

graylog-server : Version 4.3.8-1

I’m facing a synchronization issue on Graylog. The timezone configuration is as follows:

Suricata: GMT+1
Wazuh Manager: GMT+1
Graylog: GMT+1

Normally, logs are sent to the Wazuh Manager, in the file “/var/ossec/logs/alerts/alerts.json”. In this file, the timestamp is correct. However, after Fluent Bit sends it to Graylog, the timestamps change.

cat /var/ossec/logs/alerts/alerts.json

{"timestamp":"2024-02-22T23:54:51.032009+0100","flow_id":"641309285439618.000000","in_iface":"ens33","event_type":"alert","src_ip":"13.32.145.91","src_port":"80","dest_ip":"192.168.40.133","dest_port":"37356","proto":"TCP","pkt_src":"wire/pcap","community_id":"1:pq4C35OJHG9NvpM3htXxNNHvnn0=","alert":{"action":"allowed","gid":"1","signature_id":"2100498","rev":"7","signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":"2","metadata":{"created_at":["2010_09_23"],"updated_at":["2019_07_26"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"200","length":"39"},"files":[{"filename":"/uid/index.html","gaps":false,"state":"CLOSED","stored":false,"size":39,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":"5","pkts_toclient":"4","bytes_toserver":"382","bytes_toclient":"771","start":"2024-02-22T23:54:50.870212+0100","src_ip":"192.168.40.133","dest_ip":"13.32.145.91","src_port":"37356","dest_port":"80"}},"location":"/var/log/suricata/eve.json"}

in graylog interface

2024-02-22 23:54:56.103	
{"true":1708642492.421258,"timestamp":"2024-02-22T17:54:51.878-0500","rule":{"level":3,"description":"Suricata: Alert - GPL ATTACK_RESPONSE id check returned root","id":"86601","firedtimes":105,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"001","name":"lab-ids","ip":"192.168.40.133"},"manager":{"name":"LAB-SOC"},"id":"1708642491.2394214","decoder":{"name":"json"},"data":{"timestamp":"2024-02-22T23:54:51.032009+0100","flow_id":"641309285439618.000000","in_iface":"ens33","event_type":"alert","src_ip":"13.32.145.91","src_port":"80","dest_ip":"192.168.40.133","dest_port":"37356","proto":"TCP","pkt_src":

Wine_Merchant · March 1, 2024, 12:42pm

Hello @50m1a

Where are you setting the timezone within Graylog, for example is it set on the user you use to login to Graylog?

system · March 15, 2024, 12:42pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog shows log after 9 hour with wrong timestamp Graylog Central (peer support)	2	1965	May 5, 2021
Timezone issues. Logs are shown 1 hour behind Graylog Central (peer support)	8	3559	September 17, 2020
Timestamps not lining up Graylog Central (peer support) time-stamp-issuespl	4	1350	October 6, 2023
Logs delayed on time Graylog Central (peer support)	7	2797	April 23, 2019
Timestamp in graylog does not match logs being ingested Graylog Central (peer support) timestamp	4	435	May 31, 2023

Synchronization issue on Graylog

Related topics