I have a odd time related issue.

Data is being logged an hour ahead of current time (for Europe/London), and you cannot find it in a search until two hours after the time the event was actually generated!

So as an example…
Event generated: 13:42:54
Timestamp/timestamp on search results: Timestamp 14:42:54, timestamp 14:42:54 +01:00
Unable to find in search results until 15:42:55 local time (Europe/London currently +01:00 from UTC due to daylight savings)

Time configuration…
User: 14:52:00 +01:00
Web Browser: 14:52:00 +01:00
Graylog server: 14:52:00 +00:00

The hour difference between the generated event and the Timestamp/timestamp field may be explained by the fact I’m forwarding the events from my previous Graylog server using a Syslog plaintext Output to this new server as I’m testing and ironing out issues.
The thing that concerns me is that the entry cannot be found in a search until two hours after it was logged.

I’m guessing the issue is timezone related, but I’m unclear what to do to resolve it.

Set the time correctly on your server.

As far as I can tell, the time is correct on my server…

timedatectl

Local time: Thu 2019-05-30 14:04:36 BST
Universal time: Thu 2019-05-30 13:04:36 UTC
RTC time: Thu 2019-05-30 13:04:36
System clock synchronized: yes
systemd-timesyncd.service active: yes
RTC in local TZ: no

But somehow you post GL recognize wrong the time.
IT should be this:

User admin:
2019-05-30 15:44:25 +02:00
Your web browser:
2019-05-30 15:44:25 +02:00
Graylog server:
2019-05-30 15:44:25 +02:00

Same time and zone every line.

Thanks for the heads up, that gave me the clue I needed.

Turns out the Timezone was incorrect on Ubuntu, despite me thinking I had changed it.
Had to run “dpkg-reconfigure tzdata” to correct it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.