I have the same issue as described in this post:
We have a Fortinet firewall sending logs to a Graylog server. There was an issue with the timestamps being off, so we followed the advice of this post to create a pipeline to set the desired time zone.
The pipeline seems to work and the timestamp field is set correctly. However, in the Search page when you see the messages from the firewall in the search results box there is the Timestamp field on the far left that shows the current time minus 8 hours. If you mouse over the Timestamp…
In System/Overview, all 3 times are the same and correct.
My concern is that when I do a search for any new (in the last 5 minutes), nothing shows up because of this time discrepancy. I have to change it for “in the last 8 hours” in order to see any data.
I do not understand the above linked post’s comments, so I don’t know if a fix was mentioned (timestamp conversion) or not.
I am not sure if I have the same issue:
Graylog 3.0.2+1686930, codename
Host OS: Ubuntu 18.04.3 LTS
Host: 2020-02-15 11:52:05 +08:00 Time configuration
User ******: 2020-02-15 11:52:05 +08:00
Your web browser: 2020-02-15 11:52:05 +08:00
Graylog server: 2020-02-15 11:52:29 +08:00
root_timezone = UTC
The syslog with timestamp with UTC got transformed to UTC-8 as raw data. It’s doing well if your syslog timestamp is in UTC+8, which is not the standard as we wish.
How do I stop the transformation for particular syslog if there’s still other raw data need to be transformed?
update: the timestamp is minus 8 hours behind and only the full_message shows the correct one.
the question is:
does that timestamp include a timezone?
If the timestamp did not include timezone information, Graylog works with that timestamp as it is UTC.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.