Hi,
According to the docs all syslog messages are treated as UTC unless the timezone is specified in the syslog message.
The received syslog message is in UTC and contains no timezone information but graylog saves it as UTC + 2.
The input contains two extractors
None is related to time / modifies it
There is also no pipeline modifying times.
Thanks in advance!
It depends also on server (graylog box) timezone settings. Graylog then shows timestamps in user’s defined timezone settings (in web interface).
timedatectl
server.conf parameter root_timezone, edit it with sudo vim /etc/graylog/server/server.conf
System - Authentication - Users - Edit - field Timezone
Edit profile after login
That’s the time configuration of my graylog instance^^
As far as I know these timezone settings only affect the timestamps displayed to the user and not the time that graylog uses to store a message in ES.
The input receives the syslog message with the timestamp “May 2 23:02:37” which is UTC and correct.
The timestamp saved into ES is “2021-05-02 21:02:37.000” which should be UTC too but is actually UTC-2.
The timestamp I expect to be in ES is “2021-05-02 23:02:37.000”
{
"took" : 241,
"timed_out" : false,
"num_reduce_phases" : 2,
"_shards" : {
"total" : 868,
"successful" : 868,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.5713124,
"hits" : [
{
"_index" : "graylog_1",
"_type" : "message",
"_id" : "7d1714b0-ab9a-11eb-8fb0-02427f2bcf62",
"_score" : 1.5713124,
"_source" : {
"gl2_accounted_message_size" : 982,
"level" : 6,
"gl2_remote_ip" : "111.111.111.111",
"gl2_remote_port" : 39014,
"streams" : [
"000000000000000000000001"
],
"gl2_message_id" : "01F4QN3GBVPC2SVDZE0PM9H5B1",
"source" : "76bdaa34",
"message" : "76bdaa34 haproxy[8]: {\"application\":\"XXXXXXXXXXXX\",\"log\":\"access\",\"bytes_read\":306042,\"http_method\":\"GET\",\"http_uri\":\"/stats\",\"http_query\" :\"\",\"http_version\":\"HTTP/1.1\",\"unique_id\":\"- \",\"time\":0,\"status_code\":200,\"bytes_uploaded\":140,\"backend_name\":\"stats\",\"client_ip\":\"172.17 .0.1\",\"frontend_name\":\"stats\",\"pid\":8,\"http_request\":\"GET /stats HTTP/1.1\",\"server_name\":\" <STATS>\",\"server_ip\":\"-\",\"ssl_version\":\"-\"}",
"gl2_source_input" : "608c69202731de132b4cbaf4",
"full_message" : "<134>May 2 23:02:37 76bdaa34 haproxy[8]: {\"application\":\"XXXXXXXXXXXX\",\"log\":\"access\",\"bytes_read\":306042,\"http_method\":\"GET\",\"http_uri\":\"/stats\",\"http_query\":\"\",\"http_version\":\"HTTP/1.1\",\"unique_id\":\"-\",\"time\":0,\"status_code\":200,\"bytes_uploaded\":140,\"backend_name\":\"stats\",\"client_ip\":\"172.17.0.1\",\"frontend_name\":\"stats\",\"pid\":8,\"http_request\":\"GET /stats HTTP/1.1\",\"server_name\":\"<STATS>\",\"server_ip\":\"-\",\"ssl_version\":\"-\"}",
"facility_num" : 16,
"gl2_source_node" : "2f5d58d4-6be5-48ca-9038-705908ca260e",
"facility" : "local0",
"timestamp" : "2021-05-02 21:02:37.000"
}
}
]
}
}
Same behavior here, had uncompliant RFC timezone parsed with a pipeline replacing graylog’s generated timestamp but stopped working properly recently. I am using Europe/Paris for this one.
Had to remove the timezone field from the pipeline to get the right date and time into the simulator but still haven’t confirmed it actually applied properly since i have a log processing queue due to invalid timestamps showing up 2 hours later.
Now here’s the thing, if I put the Europe/Paris timezone into the pipeline the timestamp is actually modified 2 hours backwards. I also want mention that all my timezone settings are the same.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.