Date difference in events received from filebeat

skarcos · February 3, 2019, 1:48pm

Hello,

I am using filebeat on a remote linux machine to send events to logstash.

I am using grok and the date module to get events' timestamps.

Here is my complete configuration:

input {
  beats {
    type => "gemma_logs"
    port => 5045
  }
}

filter{
  if [type] == "gemma_logs" {
    grok {
      match => ["message" , "%{TIMESTAMP_ISO8601:logdate} %{DATA:level} \[%{DATA:class}\] \(%{DATA:file}:%{NUMBER:line}\) - %{GREEDYDATA:log_message}"]
    }
    date {
      match => [ "logdate", "YYYY-mm-dd HH:mm:ss,SSS" ]
    }
  }
}

output {
  if [type] == "gemma_logs" {
    elasticsearch {
      hosts => "localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    }
  }
}

This worked fine until January 31st 23:59:59 (?!). However, no index has been created for February until now (the 3rd). In the logstash debug logs I see that there is a strange time difference now between events and their matched timestamp; it is exactly 2 hours to a month:

Here is an example:

"message"=>"2019-02-03 14:24:59,147 DEBUG [cti.cdr.CdrLogger] 
"logdate"=>"2019-02-03 14:24:59,147",
"@timestamp"=>2019-01-03T12:24:59.147Z

Here is the complete event from filebeat:

[2019-02-03T14:25:04,547][DEBUG][logstash.pipeline        ] output received 
	{"event"=> {"source"=>"/var/log/gemma/telephonyserver.log",
				"offset"=>17777708,
				"prospector"=>{"type"=>"log"},
				"host"=>{"os"=>{"family"=>"debian",
								"platform"=>"debian",
								"version"=>"9 (stretch)",
								"codename"=>"stretch"},
						"id"=>"f4b257800bf84bb185af2518df28f267",
						"name"=>"gemmasrv",
						"containerized"=>false,
						"architecture"=>"x86_64"},
				"@version"=>"1",
				"file"=>"CdrLogger.java",
				"beat"=>{"hostname"=>"gemmasrv",
						"name"=>"gemma_10.0.26.20",
						"version"=>"6.5.4"},
				"class"=>"cti.cdr.CdrLogger",
				"type"=>"gemma_logs",
				"log_message"=>"deliveredEvent(device: 302106960115)",
				"line"=>"139",
				"logdate"=>"2019-02-03 14:24:59,147",
				"input"=>{"type"=>"log"},
				"tags"=>["beats_input_codec_plain_applied"],
				"level"=>"DEBUG",
				"message"=>"2019-02-03 14:24:59,147 DEBUG [cti.cdr.CdrLogger] (CdrLogger.java:139) - deliveredEvent(device: 302106960115)",
				"@timestamp"=>2019-01-03T12:24:59.147Z}
				}

I'll appreciate any help or ideas.

Badger · February 3, 2019, 2:08pm

Change YYYY-mm-dd to YYYY-MM-dd

skarcos · February 3, 2019, 7:26pm

That worked. Thanks!

system · March 3, 2019, 7:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.