We have a Fortinet firewall sending logs to a Graylog server. There was an issue with the timestamps being off, so we followed the advice of this post to create a pipeline to set the desired time zone.
The pipeline seems to work and the timestamp field is set correctly. However, in the Search page when you see the messages from the firewall in the search results box there is the Timestamp field on the far left that shows the current time minus 8 hours. If you mouse over the Timestamp is shows the correct time (+ 8 hours).
Any idea why this is happening? The actual timestamp field also shows the correct time.
I think the timestamp as you see it (and the hover one) are based on the actual value of the timestamp, and the value of the timestamp adjusted via your profile timezone settings, not sure, I’m just guessing here
The pipeline seems to work and the timestamp field is set correctly. However, in the Search page when you see the messages from the firewall in the search results box there is the Timestamp field on the far left that shows the current time minus 8 hours. If you mouse over the Timestamp is shows the correct time (+ 8 hours).
then you do the timestamp conversion wrong.
Graylog will save timestamps always in UTC and in the overview of messages that UTC value is converted to the Timestamp/zone the user has configured in his profile.
