Timestamp Issues

#1

I am running into an issue where the timestamp coming from Cisco Firepower module is not treated as UTC.

The following message:
<117>Mar 27 00:59:55 FW-SFR SFIMS: Protocol: TCP, ... Error, Sinkhole: Unknown, SecIntMatchingIP: Destination, IPReputationSICategory: Attackers, URLCategory: Unknown, URLReputation: Risk unknown

Has Graylog timestamp of:
2019-03-27T05:59:55.000Z

My time configuration is set to Central:
time

It looks like Graylog is treating the time on the incoming message as Central and then converting to UTC.

Another Cisco device we have on a different input Graylog is assuming the time is UTC and is displaying properly.

Any help is appreciated.

0 Likes

(Jan Doberstein) #2

if the devices do not send a timestamp with timezone information included it is always a mess…

But what kind of normalization, pipelines or extractors did you use with that messages? Because timestamps without any timezone information are UTC for Graylog.

0 Likes

#3

Thanks for the reply Jan.

There are currently no extractors on the input or any associated pipelines.

This is a new input.

Like I mentioned before another Cisco device is processing properly where Graylog is assuming the time it extracts as UTC. Funny thing is the FirePower module message format is nearly identical to the ASA with the exception of the year is missing in the timestamp.

ASA message:
<157>Mar 28 2019 11:19:38 ASA : %ASA-5-611103: User logged out: Uname: user

Has Graylog timestamp of:
2019-03-28T11:19:38.175Z

Could the missing year be causing an issue?

0 Likes

#4

Changing the input type to “Raw/Plaintext UDP” produces the desired results.

For some reason on input type “Syslog UDP” the time is treated differently.

0 Likes

(Jan Doberstein) #5

we try to “detect” broken syslog … for known bad actors. That might be the reason for this.

Going the RAW way is what is the best solution.

Jan

1 Like

#6

Thanks for your help and clarification Jan!

0 Likes

(system) closed #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

0 Likes