UTC timestamp not found in search

Graylog Central (peer support)
1

Hello Support

I have the following problem:

I do input data to graylog via GELF-TCP - at 10.05 PM.
I am using UNIX seconds plus fractional part
... "timestamp":1595621149.537000000 ...

Which is produced by an UTC timesstamp:
24-JUL-20 08.05.49.537000 PM

On graylog panel - new admin user:

User altin:
    2020-07-24 22:22:17 +02:00
Your web browser:
    2020-07-24 22:22:17 +02:00
Graylog server:
    2020-07-24 20:22:17 +00:00

I have set my user to Tirana (Albania) Time (= Berlin/Rome time).
and kept Graylog server at ITC - as suggested below:

Problem:
When I search at 10.10 PM for last 15 min I find no record - although the input is done 5 min earlier. !!!

In the chart and grid time appears correctly - 10.00 in grid,
and timestamp 2020-07-24 22:05:49 +02:00

But I need to search +2 hours behind to retrieve the record.

please advise
best regards
Altin

2

If searched with Absolute Time range (ex for the last hour) - it works correctly, the record is returned.
But not when the Relative (the default) “Search in the last 1 hour” option is selected !

3

Which version of graylog do you use? I tried it in 3.3.2 and works right for me. I use same timezone for server, user and browser (UTC+2)

I get unixtimestamp (UTC) using command: date +%s
Send it using echo and nc

echo -n '{ "version": "1.1", "host": "example.org", "short_message": "test message", "timestamp":1596128779.537000000, "level": 5 }' | nc -u 172.28.128.4 12201```

Check your real date in graylog server, in the past i have similar problem, and graylog web shows correct time in settings, but in reality server time was off.

4

I use Graylog 3.3.2, have left the Graylog server’s timestamp in its default - UTC, and not set it to my (Tirana) timezone.
I did this because of what I read in note (above) “Time Zone Delay”:
“Ensure all your servers timezones are set to UTC (even if they don’t live in UTC), then all your timestamps arrive in UTC.”

Is this recommendation invalid in my case?

5

and I did changed the root_timezone at server.conf from UTC to Europe/Tirane. I restarted the server but on the “Overview” dashboard the Graylog server timezone still persisted to +00:00.

can you advise on how to set the root_timezone?

best regards
Altin

ps. what it is meant by “real date in graylog server” ?

6

Do I need to set the Ubuntu’s OS Timezone (instead of root_timezone at server.conf)?

I did a cat /etc/timezone and got a Etc/UTC - which is wrong - my timezone is Tirana (CET).

My problem is identical with this question:

7

I did changed the Ubuntu’s (ova) OS timezone from UTC to Europe/Tirana.
This changed the local time clock + 2 hours.
I can set it with timedatectl - but it is reset again on every restart.

Is there a way to set the right clock permantly?

8

sudo timedatectl shows (ex):
Local time Fri 2020-07 05:02:09 CEST

“Graylog server:” (overview) shows:
2020-07-31 03:02:09 +02:00

Is this correct or wrong?

9
  1. In my graylog installation I see timedatectl and graylog’s identical.
  2. sudo timedatectl set-timezone YOUR_TIMEZONE should definitely make it permanent. Please restart graylog-server and elasticsearch services after change, or reboot.
  3. root_timezone is settings only for user admin (to render correct admin user timezone), if you use it to login to web interface, it’s not used by graylog server. Another users use timezone from user profile.

All my servers use UTC+2 timezone not UTC.

10

setting the right timezone caused the wrong clock.
Opened another ticket for that and hope someone helps me there.

11

root_timezone at server.conf should be left default (commented) UTC.
The OS timezone and datetime must be set according to local settings
The user’s (<>admin) timezone must be set must be set according to local settings
When on Oracle VM - check `Hardware clock in UTC Time

thank you very much @shoothub

12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.