We build a custom module for parsing F5 Load Balancer logs, all the patterns are working fine. But the timezone is set to UTC -8 hours for the event ingested and showing up in Kibana. We're currently in PT timezone.
{
"filebeat-7.5.2-f5-logs-pipeline" : {
"description" : "Pipeline for parsing F5 LTM and Audit Logs",
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{SYSLOGTIMESTAMP:f5.timestamp} %{IPORHOST:host.hostname} (%{LOGLEVEL:log.level})? %{PROG:process.parent.name}\\(%{NOTSPACE:process.name}\\)(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYDATA:syslog_message}",
"%{SYSLOGTIMESTAMP:f5.timestamp} %{IPORHOST:host.hostname} %{PROG:process.name}(?:\\[%{POSINT:process.pid:long}\\])?: %{GREEDYDATA:syslog_message}"
],
"ignore_missing" : true
}
},
{
"date" : {
"if": "ctx.event?.timezone == null",
"field" : "f5.timestamp",
"target_field" : "@timestamp",
"formats" : [
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss"
]
}
},
{
"date" : {
"if": "ctx.event?.timezone != null",
"field" : "f5.timestamp",
"timezone": "{{ event.timezone }}",
"target_field" : "@timestamp",
"formats" : [
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss"
]
}
},
{
"date_index_name" : {
"field" : "@timestamp",
"date_rounding" : "d",
"index_name_prefix" : "f5-",
"index_name_format" : "yyyy.MM.dd",
"ignore_failure" : false
}
}
}
}
}
Sample event -
"May 13 11:01:03 sysloghost notice run-parts(/etc/cron.hourly)[12939]: finished genkeys"
Followed some old threads and even tried to delete the pipeline from dev tools and then re-create the pipeline, but still the events show-up in Kibana with wrong timezone.