Currently I’ve noticed that the timestamp on Graylog versus the timestamp on the log file are off by a second or two. I’m trying to figure out a way to take the timestamp from the log and use it on graylog. The log message includes timestamp as following: Wed Mar 07 10:42:24 2018. This is different than how graylog looks at timestamp. 2018-03-07T15:42:24.850Z.
So I guess my question is, how to change the format of my log message to match graylogs setting and then insert it as the timestamp.
What type of input are you using to ingest the log messages?
What’s the complete configuration of that input?
Which extractors and pipeline rules are you using, which might modify the ingested messages?
I’m using beats to input the log message. From that, I don’t really have anything else setup from that. I was able to use a created GROK pattern to take parse the date from the log message. However, now that I have the time split up, how to do get that back into the timestamp?
If you’re using Filebeat to read and send log messages from text files to Graylog, Graylog will use the receive timestamp as “timestamp” field.
Filebeat doesn’t automatically parse arbitrary date/time formats from the log files it reads. You’ll have to do this yourself in Graylog using Extractors or Processing Pipeline rules: