Date filter stuck in 2000

Elastic Stack Logstash
1

Hello,

I have a strange problem with the date filter : whenever I use it and there is no year specified in the field, instead of using the current year, it puts 2000 in @timestamp.
Tested on a wide variety of logs with different date patterns.
Tested with logstash 2.1.2 and 2.2.2.

Since I have found no trace of this problem on the web, I think I am doing something wrong.

Could someone please tell me how to do it right ?

TYVM

Example message:
Mar 1 11:25:01 sv-t-vnl-relaisint01 postfix/qmgr[13312]: DEA6C14E: removed

Filter used :

grok {
  match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{GREEDYDATA:real_message}"}
}

date {
  match => [ "timestamp",
    "MMM dd HH:mm:ss",
    "MMM  d HH:mm:ss"
  ]
  timezone => "Europe/Paris"
  remove_field => [ "timestamp" ]
}

My server date is correct :
root@sv-t-vnl-logs-central01:~# date
mardi 1 mars 2016, 11:38:09 (UTC+0100)

2

Can you please check the LOCALE of your system, I suspect that you hit a side-effect of https://github.com/logstash-plugins/logstash-filter-date/issues/57

If that the case you must specify locale => "en" in your filter config.

3

It did the trick, thank you very much !

For the record, version and locale used :

root@sv-t-vnl-logs-central01:/opt/logstash/bin# ./logstash --version
logstash 2.2.2
root@sv-t-vnl-logs-central01:/opt/logstash/bin# ./plugin list --verbose logstash-filter-date
logstash-filter-date (2.1.2)
root@sv-t-vnl-logs-central01:/opt/logstash/bin# locale
LANG=fr_FR.UTF-8
LANGUAGE=
LC_CTYPE="fr_FR.UTF-8"
LC_NUMERIC="fr_FR.UTF-8"
LC_TIME="fr_FR.UTF-8"
LC_COLLATE="fr_FR.UTF-8"
LC_MONETARY="fr_FR.UTF-8"
LC_MESSAGES="fr_FR.UTF-8"
LC_PAPER="fr_FR.UTF-8"
LC_NAME="fr_FR.UTF-8"
LC_ADDRESS="fr_FR.UTF-8"
LC_TELEPHONE="fr_FR.UTF-8"
LC_MEASUREMENT="fr_FR.UTF-8"
LC_IDENTIFICATION="fr_FR.UTF-8"
LC_ALL=