I have installed a new instance of Elasticsearch 7.3 and configured one host to send Filebeat data with Auditd and System modules. The auditd logs look correct. The System module collected data will not stop converting the timezone to UTC. When I view the logs in Kibana, everything picked up by the system module shows the data time as UTC. This was previously fixed by uncommenting and setting the var convert timezone setting to true in the system.yml file. I then set the filebeat.yml to add_locale with the abbreviation. That resulted in the an error in processing that indicates PDT - the timezone the server is running in - as an unknown Timezone ID.
Oh and when I say "will not stop converting the timezone to UTC" I mean it is showing in kibana as UTC so everything appears to have happened hours earlier than it actually happened. And this is only true for the system module so far.
Yes. At each attempt I have deleted the created index, index pattern, deleted the ingest pipeline and deleted the template. Then run the filebeat setup command and started the service. Each time the timezone is wrong.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.