I’m setting up a new Graylog instance and am nearly finished getting everything up and ready. However, one type of device is getting a strange timestamp of the correct date, but a midnight time for every message it receives, rather than the time Graylog processed it. As far as I know it’s just sending straight syslog, and none of the other network devices are exhibiting this behavior. Is there maybe a known issue with Clearpass mangling syslog and/or confusing graylog with a phony timestamp, or is there a pipeline I could run it through to force it to use Graylog’s own timestamp?
I’m using Graylog 2.4.3+2c41897 (Oracle Corporation 1.8.0_161 on Linux 3.10.0-693.17.1.el7.x86_64)
Let me know if I need to provide any additional information.
Is there a way to just take the timestamp from when graylog processes the message and overwrite the timestamp field with that? Looking at the messages, the timestamp changes depending on the type of message, and sometimes does not include a date at all, or multiple but slightly different times. It looks like I could do multiple stages in a pipeline and try to grab each date/time format I find, but I don’t know if that’s the right way to do that either, and it wouldn’t catch the ones with no date.
timestamp examples from a single device:
2018-04-24 09:11:51-06
08:58:27,78
Apr 23 2018 23:55:05.876 MDT
