Hi everybody, I changed system time on a Windows 2016 server that forwards eventlog to Graylog via Nxlog agent, setting system time two hours ahead in the future, and now on Graylog all logs come with all timestamps two hours ahead, there is no reference of the “real” timestamp.
Is there a way to have all logs with timestamp set to Graylog server time, instead to the timestamp of the source server? Or having all server with time synced to Graylog server is a prerequisite?
There is a field ‘EventReceivedTime’. Timestamp means what is called - timestamp from source server
Hi, even “EventReceivedTime” is two hours ahead:
EventReceivedTime
2019-05-28 17:58:51timestamp
2019-05-28 17:58:49.000 +02:00
Time configuration under System/Overview is OK?
How should Graylog know what time is the real one? The sender time is always seen as the time of the event. You describe that you have changed that time - if you did not configure Graylog to change that timestamp, how should it know that the time is not korrekt and subtitute two ours?
Ok, so I have to properly configure Graylog to overwrite the timestamp and ignore the timestamp provided by the Windows 2016 client (I read in these forums that is possibile using a pipeline).
I did this to simulate a possible compromission of a server. An attacker could change the system time before performing some malicious activity to make intercepting his activity via log more difficult…
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
