Filebeat and Timezones

yammy · January 26, 2016, 10:14pm

Full disclosure, just getting started with my first ELK stack setup...

When I use Filebeat to forward syslogs I have some hosts in UTC and some in EST. Once they go into Elastic Search it assumes everything is in UTC which puts timestamp searching out by a few hours. (viewed through Kibana)

Is there a way to configure the Filebeat agent so that it will convert the dates into UTC before submitting to LogStash/Elastic Search? Or is there a preferred way to address this?

steffens · January 26, 2016, 11:48pm

do you index right into elasticsearch or via logstash?

filebeat just collects log lines and reports times a line has been read in UTC already. But content of line is not adjusted. If you're using any kind of filter 'grok' in logstash to parse line and timestamp, the timestamp adjustment must be made in logstash.

Maybe you can use beat.hostname, beat.name, type or any other information to filter the source.

yammy · January 27, 2016, 3:13pm

Hi Steffens

I am loading the data via logstash. I'm using the docker appliance sebp/elk. Below is a copy of the syslog.conf on the logstash server.

So I'm gathering that I need to define a new filter type on the logstash server i.e. "syslog_est" and then set the timestamp as EST in that filter? If so, what is the proper syntax of defining the timezone?

##############################
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

yammy · January 27, 2016, 7:45pm

For anyone who should come across this, here's how I solved it:

I created a copy of /etc/logstash/conf.d/10-syslog.conf as it /etc/logstash/conf.d/11-syslog.conf on the logstash server.
Edit the new conf file and change if [type] == "syslog" to if [type] == "syslog_est"
Again edit the new conf file and edit the date directive to include the timezone:

date {
timezone => "America/New_York"
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

Edit the /etc/filebeat/filebeat.yml on the filebeat agent to:

filebeat:
prospectors:
-
paths:
- /var/log/secure
- /var/log/messages
document_type: syslog_est
-

Restart the filebeat service and the log timestamps in elastic search are now correct.

Alternatively, if you can configure your ssh service which writes to /var/log/secure to use UTC, this might be the better way to go.

steffens · January 27, 2016, 10:46pm

Cool. If possible you should try to normalize time zones at source or include timezone info in your original logs.

Topic		Replies	Views
[Still Not Solved!] Filebeat cannot recognize timezone in syslog Beats filebeat	25	5540	August 28, 2019
Filebeat's elasticsearch module output wrong timestamp on Kibana Logs Beats filebeat	1	1068	June 25, 2019
Last 15/30 min data being displayed in UTC whereas in Today its the actual Timestamp inserted in ES Kibana	9	1697	May 15, 2018
@timestamp value for syslog input not in UTC Logstash	2	114	April 3, 2024
Ingesting America/Chicago timezone logs with no tz indicator Beats filebeat	3	13	August 28, 2024

Filebeat and Timezones

Related Topics