So we recently spun up a Graylog Server and so far I love it, much easier than an ELK stack! There has only been a few issues, but the issue I’ve been working on currently, which seems to be a common issue, is timestamps. Per a majority of the suggestions I found, we set the root_timezone to UTC, and then configured the timezones per user. The issue I’m having is the timestamp that is being assigned to certain sources. For instance we have a Fortinet device that is sending syslog and the time stamp, not user time stamp, is 9:24. We also have a linux box that has a time stamp of 14:24. These are supposed to be reporting around the same time. Obviously this is an issue, but I’m not really sure how to address it, short of just setting UTC on the Fortinet device. Does anyone have advice? Thank you.
I’ve created an issue on GitHub for tracking these issues:
As a workaround, you can use the parse_date()
pipeline function to parse the date from your syslog messages in the correct timezone.
Awesome, and thank you for the quick reply. I’ll look into the pipeline function.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.