Timestamp issue on Slack notifications

Graylog Central (peer support)
, ,
1

Hello! I’m having this problem with the timestamp in Slack notifications that not matches with the rest of timestamps (event, log inputs, etc.). I’d like to collect all the logs in my local time (America/Argentina/Buenos_Aires):

1. Describe your incident:
The timestamp of the Slack alerts is not equal to everyone else on Graylog web interface and/or the logs of the inputs configured. Let me show an example:

  • My Date/time are in local time (it’s Ok):

Date command output:
Wed Jul 13 16:30:41 -03 2022

Hwclock command output:
2022-07-13 16:30:45.188264-03:00

  • The timestamp in the test events submitted are similar and it’s OK:

Timestamp
2022-07-13 16:30:45.200

timestamp
2022-07-13 16:30:45.200

  • But the alerts timestamp is not Ok, including the backlog timestamp arrived:

image
image746×650 79.3 KB

There is a difference of 3 hours approximately.

2. Describe your environment:

  • OS Information: AWS EC2 instance, Ubuntu 22.04 LTS (Jammy Jellyfish)

  • Package Version:
    Docker images: Mongo (latest), elasticsearch 7.10.2, Graylog 4.3.3.
    Docker version 20.10.17, build 100c701
    docker-compose version 1.29.2, build unknown

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

  • I already tried previously changing the docker-compose.yml configuration, about the localtime and timezone system files (mounted as volumes):

/etc/timezone:/etc/timezone:ro
/etc/localtime:/etc/localtime:ro

  • Already I changed the env variables related to date and time on graylog container:

GRAYLOG_ROOT_TIMEZONE=America/Argentina/Buenos_Aires
TZ=America/Buenos_Aires

I understand (if I’m not wrong) the “timedatectl” command output it’s ok and don’t need any edit. Take this example:

            Local time: Wed 2022-07-13 16:32:45 -03
       Universal time: Wed 2022-07-13 19:32:45 UTC
             RTC time: Wed 2022-07-13 19:32:45
            Time zone: America/Argentina/Buenos_Aires (-03, -0300)

System clock synchronized: yes
NTP service: active
RTC in local TZ: no

  • Already I restarted the containers and docker daemon (before and after changes, respect to system date and time)

4. How can the community help?

I’d like to fix this issue and receive alerts using the local time like everyone else logs.

Thank you to all from before.

2

Hello && welcome

Couple things I see didnt look right, I maybe wrong thou

Think it suppost to be this

[quote="emeneve, post:1, topic:24776"]
GRAYLOG_ROOT_TIMEZONE=America/Argentina/Buenos_Aires
TZ=America/Argentina/Buenos_Aires

Insure it takes the new configuration.

Next on the Web UI it should look something like this.

image

You can check the user profile to insure the correct date/time is configured.

3

Hello and thank you gsmith.

I’m sorry for not fix these variable values, I changed that and got the same result.

About time configuration, looks right I see:

image
image836×342 20.9 KB

And the user profile shows the problem:

image
image826×64 12 KB

Any other idea to check? I appreciate so much.

Best regards.

4

Ok now check the user Time zone not the last activity BUT good catch thou.
Example:
Navigate to System/Users And Teams. Click on the user with the problem Date/time. Click on “edit User” and you should see this section.

image
image1035×580 35.4 KB

5

Good morning gsmith,

I done that, and the “admin” user shows the incorrect time and the zone sees Ok:

image
image854×534 51 KB

Now it’s 10:13 and I’ve see can’t edit the user “admin” (there is no button for edit).

Best regards.

6

Hello,

The default Admin is configured in Graylogs configuration file.

Sum it up:

1.Server Date/time is correct?
2.Graylogs Web UI “Time configuration”, all three Date/Times are correct?
3.Default admin user time is off by 3 hours?
4.As for the Docker container, it is set for the correct time zone?

I assume you restarted the container after insuring the Time zone was configured?

7

Hello,

About the four points marked, as I showed previously I didn’t found nothing incorrect in the time.
But I’m not sure if I understood the number 3 and 4.

3.Default admin user time is off by 3 hours?

What kind of review or setting is this? Can you show me please?

4.As for the Docker container, it is set for the correct time zone?

I’ve searched and I didn’t found a configuration of time for Docker in specific (or for Docker compose too). Do you know any?

I assume you restarted the container after insuring the Time zone was configured?

Yes of course, I did it.

Best Regards.

8

Hello,

image
image811×507 15.4 KB

I was referring to this statement.

Explained it from here.

I don’t see this setting in slack notification template but there is a Time Zone configuration in the Email Notification to correct Timestamp issues , so I’m not sure what is going on in this environment.

image
image743×653 25.5 KB

9

Hello gsmith,

The “Timezone” in the Settings section for admin user is the correct (America/Argentina/Buenos_Aires) and the incorrect time is from the data in “Last Activity” field when it shows that.

It’s interesting about the Email notificacion template because I saw a few days ago a problem/fix related to Email notification. Is this I guess:

Best regards.

10

Hello,

It might be, I even saw a Mail server have the wrong timestamp which created issues. So if all the time Zones are correct as stated above. To be honest , I’m not sure what’s the issue.

EDIT: that issue was resolved, the screenshot I posted shows the fix to that.

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.