Time stamp issues

Hi there I am looking to get a little help with groking time stamps with Graylog. I understand Elasticsearch and log stash well however I ever used Graylog before. At present I am getting the following errors.

I am fairly certain that having a match like I have used on logstash would work however I am unsure of how to add this to the processes without breaking the pipeline. My question is how do I edit the Graylog syntax to give me the multi match result like the grok example?

Error Output

 [GelfCodec] GELF message <9cb0ba70-d8da-11eb-90a5-00505684ac52> (received from <172.31.11.125:46510>) has invalid "timestamp": 2021-06-29T14:05:00.262Z

Logstash Grok Example

match => [ "system.auth.timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd'T'HH:mm:ss.SSSZZ", "ISO8601" ]

Pipeline Rule

rule "Logstash plain logs"
when
    to_string($message.type) == "logstash-logs"
then
    set_fields(
        grok(
            pattern: "\\[%{TIMESTAMP_ISO8601:timestamp_temp}\\]\\[%{LOGLEVEL:log_level}\\s?\\]\\[%{LOGSTASH_CLASS_MODULE:logstash_log_module}\\s*\\](\\[%{NOTSPACE:logstash_log_pipeline_id}\\]|)%{GREEDYMULTILINE:message}",
            value: to_string($message.message),
            only_named_captures: true
        )
    );
    let new_date = parse_date(
        value: to_string($message.timestamp_temp),
        pattern: "yyyy-MM-dd'T'HH:mm:ss,SSS"
    );
    set_field("timestamp",new_date);    
    rename_field("timestamp","event_created");
    remove_field("timestamp_temp");
end

Are you sure, that your client is sending GELF in correct format? Timestamp by GELF 1.1 specs requires unix time value.

timestamp number

  • Seconds since UNIX epoch with optional decimal places for milliseconds; SHOULD be set by client library. Will be set to the current timestamp (now) by the server if absent.

https://docs.graylog.org/en/4.0/pages/gelf.html#gelf-payload-specification

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.