Timestamp is always 00:00:00.000 for Aruba Clearpass

I’m setting up a new Graylog instance and am nearly finished getting everything up and ready. However, one type of device is getting a strange timestamp of the correct date, but a midnight time for every message it receives, rather than the time Graylog processed it. As far as I know it’s just sending straight syslog, and none of the other network devices are exhibiting this behavior. Is there maybe a known issue with Clearpass mangling syslog and/or confusing graylog with a phony timestamp, or is there a pipeline I could run it through to force it to use Graylog’s own timestamp?

I’m using Graylog 2.4.3+2c41897 (Oracle Corporation 1.8.0_161 on Linux 3.10.0-693.17.1.el7.x86_64)

Let me know if I need to provide any additional information.

Thanks!

You could write a pipeline rule which replaces the incorrect timestamp with the correct one from the message.

Hi Jochen, thanks for your help!

Is there a way to just take the timestamp from when graylog processes the message and overwrite the timestamp field with that? Looking at the messages, the timestamp changes depending on the type of message, and sometimes does not include a date at all, or multiple but slightly different times. It looks like I could do multiple stages in a pipeline and try to grab each date/time format I find, but I don’t know if that’s the right way to do that either, and it wouldn’t catch the ones with no date.

timestamp examples from a single device:
2018-04-24 09:11:51-06
08:58:27,78
Apr 23 2018 23:55:05.876 MDT

Thanks!

You could use the now() function to get the current timestamp and assign it to the “timestamp” field with set_field().

2 Likes

Yep that got it. Thanks for spoon feeding the documentation to me, since I’m apparently blind :flushed:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.