Synchronization issue on Graylog

Hey Community,

  • graylog-server : Version 4.3.8-1

I’m facing a synchronization issue on Graylog. The timezone configuration is as follows:

  • Suricata: GMT+1
  • Wazuh Manager: GMT+1
  • Graylog: GMT+1

Normally, logs are sent to the Wazuh Manager, in the file “/var/ossec/logs/alerts/alerts.json”. In this file, the timestamp is correct. However, after Fluent Bit sends it to Graylog, the timestamps change.

cat /var/ossec/logs/alerts/alerts.json

{"timestamp":"2024-02-22T23:54:51.032009+0100","flow_id":"641309285439618.000000","in_iface":"ens33","event_type":"alert","src_ip":"13.32.145.91","src_port":"80","dest_ip":"192.168.40.133","dest_port":"37356","proto":"TCP","pkt_src":"wire/pcap","community_id":"1:pq4C35OJHG9NvpM3htXxNNHvnn0=","alert":{"action":"allowed","gid":"1","signature_id":"2100498","rev":"7","signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":"2","metadata":{"created_at":["2010_09_23"],"updated_at":["2019_07_26"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"200","length":"39"},"files":[{"filename":"/uid/index.html","gaps":false,"state":"CLOSED","stored":false,"size":39,"tx_id":0}],"app_proto":"http","direction":"to_client","flow":{"pkts_toserver":"5","pkts_toclient":"4","bytes_toserver":"382","bytes_toclient":"771","start":"2024-02-22T23:54:50.870212+0100","src_ip":"192.168.40.133","dest_ip":"13.32.145.91","src_port":"37356","dest_port":"80"}},"location":"/var/log/suricata/eve.json"}

in graylog interface

2024-02-22 23:54:56.103	
{"true":1708642492.421258,"timestamp":"2024-02-22T17:54:51.878-0500","rule":{"level":3,"description":"Suricata: Alert - GPL ATTACK_RESPONSE id check returned root","id":"86601","firedtimes":105,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"001","name":"lab-ids","ip":"192.168.40.133"},"manager":{"name":"LAB-SOC"},"id":"1708642491.2394214","decoder":{"name":"json"},"data":{"timestamp":"2024-02-22T23:54:51.032009+0100","flow_id":"641309285439618.000000","in_iface":"ens33","event_type":"alert","src_ip":"13.32.145.91","src_port":"80","dest_ip":"192.168.40.133","dest_port":"37356","proto":"TCP","pkt_src":

Hello @50m1a

Where are you setting the timezone within Graylog, for example is it set on the user you use to login to Graylog?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.