The timestramp of messages is stop at 2018/01/01 08:00:00

Hi,
I meet a issue that the timestramp is not corrent and stop at 2018/01/01 08:00:00 when Graylog-server recives messages from a loadblancer server(as following illustration server:10.10.0.249)

image.png682×553 21.1 KB

• other messages is no problem in the same input(can get corrent timestramp)
• I didn’t define any settings on pipeline or extractor to replace/modfine timestramp field
• I try to let 10.10.0.249(issue server) to output syslog to splunk and others syslog-server, and found there’s no problem on timestramp

did you save the RAW (or full_message) of that input? you might want to enable that for a short time to find if the message received by GL has already this date set or if the modification happens inside of Graylog.

how to save the RAW?

What type of input are you using and which extractors or pipeline rules are being applied?

I using Syslog-UDP type for input
and defined a pipeline to replace source field,conding:
rule "set_source_ip"
when
_ has_field(“source”)_
then
_ let source_ip = $message.gl2_remote_ip;_
_ set_field(“source”, source_ip);_
end

And following extractors on this input
(copy to a new field not cut)：

1. regex_value: ^MSIP/2.0 (\d.*) OK^M
2. regex_value: Src-address="(\w.*?)"
3. regex_value: Dst-address="(\w.*?)"
4. regex_value: Transport="(\w.*?)"
5. regex_value: <sip:(\w.*?)@
6. regex_value: @(\w.*?)>

How do the messages sent to Graylog look like? You can use Wireshark or tcpdump to capture these messages on the network.

What’s the complete configuration of the clients sending these syslog messages to Graylog?

This issue has been solved,root cause is timestramp formet is diffent between Graylog and host who sending log.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.