Date parsing issue - returns wrong month

thomas.dotreppe · November 12, 2015, 11:45pm

I originally the data was not in ElasticSearch but after some help, it looks like the date was parsed incorrectly (it gets the month incorrectly).

Here are the 3 (original) lines coming from the log file:

[MST Nov 10 09:35:07] error    : 'htpasswd' checksum test failed for /etc/nginx/.htpasswd
[MST Nov 10 09:35:07] error    : 'logstash' process PID changed from 18232 to 18462
[MST Nov 10 09:35:07] info     : 'logstash_conf' timestamp was not changed for /etc/logstash/conf.d

And here is the Logstash config file for monit:

input {
        file {
                path => '/var/log/monit.log'
                sincedb_path => "/var/logstash/monit.db"
                sincedb_write_interval => 1
                type => 'monit'
        }
}

filter {
        if [type] == 'monit' {
                grok {
                        match => [ 'message', '%{SYSLOG5424SD:timestamp_noyear} %{LOGLEVEL:loglevel}%{SPACE}: %{GREEDYDATA:message}' ]
                        overwrite => 'message'
                }
                ruby {
                        init => "require 'time'"
                        code => "Time.strptime(event['timestamp_noyear'], '[%Z %b %d %H:%M:%S]') - Time.now > 2500000 ? event['year'] = Time.now.year - 1 : event['year'] = Time.now.year"
                }
                mutate {
                        add_field => {
                                "timestamp" => "%{timestamp_noyear} %{year}"
                        }
                }
                date {
                        match => [ "timestamp", "[zzz MMM DD HH:mm:ss] yyyy", "[zzz MMM  D HH:mm:ss] yyyy" ]
                        locale => "en"
                        remove_field => [ "timestamp", "timestamp_noyear", "year" ]
                }
        }
}

Here is the data parsed:

{"message":"'htpasswd' checksum test failed for /etc/nginx/.htpasswd","@version":"1","@timestamp":"2015-01-10T16:35:07.000Z","host":"ubuntu","path":"/var/log/monit.log","type":"monit","loglevel":"error"}
{"message":"'logstash_conf' timestamp was not changed for /etc/logstash/conf.d","@version":"1","@timestamp":"2015-01-10T16:35:07.000Z","host":"ubuntu","path":"/var/log/monit.log","type":"monit","loglevel":"info"}
{"message":"'logstash' process PID changed from 18232 to 18462","@version":"1","@timestamp":"2015-01-10T16:35:07.000Z","host":"ubuntu","path":"/var/log/monit.log","type":"monit","loglevel":"error"}

I cannot figure out why the wrong month is picked. Even debugging and redoing the date pattern from scratch, I came up with the exact same one.

System info:

Ubuntu 14.04.3 64bit LTS
Logstash 1.5.5
Official JDK 8 (u66)

magnusbaeck · November 13, 2015, 6:51am

IIRC the date filter won't be able to parse "MST" with zzz. Only hour:minute offsets are supported. Or are you parsing the timezone name with the ruby filter and storing it back in timestamp as an offset? What's the contents of the timestamp filter when it reaches the date filter (just remove the remove_field)?

thomas.dotreppe · November 13, 2015, 4:34pm

Is there any way to parse the timezone? I thought zzz was taking care of that. Which class is Logstash using to do the date parsing? SimpleDateFormat?

Here is what timestamp look like right before reaching date filter:

[MST Nov 10 09:35:07] 2015

magnusbaeck · November 14, 2015, 2:01pm

Is there any way to parse the timezone? I thought zzz was taking care of that.

As documented, "Time zone names ('z') cannot be parsed." However, with the translate filter it should be easy to set up a custom table for mapping time zone names to offsets that you can feed the date filter with. Presumably the set of time zones that can occur in your logs is limited and unambiguous.

Which class is Logstash using to do the date parsing? SimpleDateFormat?

It's the Joda-Time Java library that does this.

wiibaa · November 14, 2015, 4:29pm

As Magnus mention, you should be cautious with lowercase z, but it seems that MST is one of the few timezone supported by joda.

However you are using uppercase D = day of year instead of lower case d == day of month, always hard to remember so please read carefully the joda reference mentionned in the plugin documentation http://joda-time.sourceforge.net/apidocs/org/joda/time/format/DateTimeFormat.html

thomas.dotreppe · November 16, 2015, 5:21pm

I couldn't remember it was using Joda Time, thanks for noticing the mistake with day of year.

Was was Joda time chosen and not SimpleDateTime (since it can parse time zones and is built-in)?