Timestamp field always shown as zero hours since update to 2.2.3


(Julien) #1

Since the update to 2.2.3 some udp syslog message from a specific source is always showing the timestamp as 00:00:00.000 for all received messages for a specific extractor:

The extractor is a comma delimited CSV extractor as shown here:

dateheure,milliseconds,unused21,application_name,log_level,unused22,unused23,client_ip,server_ip,vendor_event_type,vendor_action_id,vendor_action,vendor_action_description,session_id,actor_guid,unused27,unused28,user_name,user_first_name,user_last_name,agent_guid,unused210,agent_ip,agent_name,agent_type,unused214,authentication_type,unused215,authentication_description,argument1,argument2,argument3,argument4,argument5,argument6,argument7,argument8,user_email,argument10,argument11

The first field used to be called ‘timestamp’ so I figured this might cause an issue so I replaced it with ‘dateheure’ and rotated index but the issue remains.

This used to work fine prior to upgrading the OVA to 2.2.3 last week. Any leads on what is causing this issue and how to fix it? Thanks

P.S. The time config on the server is fine. All other sources have correct timestamps.


(Julien) #2

Ok, found a solution:

In the extractor, added a date converter to the current CSV with the format provided by the log and made sure the ‘Store as field’ is named ‘timestamp’. Newly incoming logs are now timestamped correctly.

Hope it helps someone!


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.