Timestamp sets to 00:00:00.000 on all incoming logs

Hey There,

I’m getting my logs from Aruba ClearPass however from “All Messages” the timestamp is set to 00:00:00.000 on all of them.

• OS Information:
  Host : Rocky Linux, using Docker-Compose with official Graylog v5.2 image.

• Package Version: 5.2

• From Docker-Compose:
  GRAYLOG_ROOT_TIMEZONE: “America/Vancouver”
  GRAYLOG_TIMEZONE: “America/Vancouver”
  TZ: “America/Vancouver”

I tried to set the timezone from UTC, to Canada/Pacific, to America/Vancouver. From the “message” field itself, the timestamp is correct, however from Graylog it is the same timestamp on every single messages that I receive from Aruba ClearPass.

I have an old Graylog server bare-bone installation running also processing logs from Aruba ClearPass and this one doesn’t have this timestamp issue. I would like to migrate to Docker for ease of maintenance and updates but I spent the entire day trying to figure out why my Timestamp is set to 00:00:00.000 on ALL the logs going through.

Cheers!
Xzi,

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

I would create a raw input in Graylog to recieve the messages temporarily and see what that raw message really looks like, is the timestamp actually zeros, is it malformed, etc.

As gor the fix its pretty easy to just override the timestamp, just use whatever method to get the timestamp from the message field and then write it to the “timestamp” field (you may hava to change the format, but you can do that in pipeline rules) and then that will overwrite the timestamp.

Dear Joel,

As soon as you mentionned “I would create a raw input”, I had a flashback when I did setup Graylog years ago for ClearPass as well and I had to chose “Raw” as an input.

Everything is working fine now, many thanks!

Cheers,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.