Hi all,
I have a problem with some syslog type logs.
These syslog events contains an UTC timestamp without the timezone specified as in the next example:
<34>1 2021-06-21T11:30:15.003 mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
The problem is that Graylog interprets that timestamp as localtime instead of UTC, leaving the “timestamp” field with the value of 2021-06-21T09:30:15.003Z instead of the good one: 2021-06-21T11:30:15.003Z
This has force me to rewrite the timestamp in order to store it with the correct timestamp in a rule:
rule "fixts"
when
true
then
// set_field("glTs", to_string($message.timestamp));
let strDate = substring(to_string($message.timestamp), 0, 23 );
let new_date = parse_date(value: strDate, pattern: "yyyy-MM-dd'T'HH:mm:ss.SSS", timezone: "Etc/GMT+2");
set_field("timestamp", new_date);
end
My questions are:
- Why is Graylog interpreting the non timezoned syslog timestamp as localtime? Is it possible to change this behaviour?
- Is there a better/nicer way to rewrite the timestamp?
By the way I am using Graylog version: 3.1.4
Thanks