Very new to Elastic and all things ELK...
I have started a trail instance of Cloud ES on version 7.2.0, I am testing the panw filebeat module to ship my firewall logs to ES. I have followed what I though to be the correct path for installing filebeat but my log times are skewed by +2 hours.
The config is very basic so I may be missing a setting the only changes I have made is to provide my cloudid instance and credentials as well as enable to panw module then run the setup for filebeat.
Firewall is set to Africa/Johannesburg, PC with filebeat loaded is set to Africa/Johannesburg and ES time zone in advanced is also set (All times are UTC +2)
When looking at the logs in ES this is represented
What I believe you're seeing is that the timestamp is recorded in UTC (which should typically be the case for all logged timestamps) but the UI is showing you the parsed timestamp in your local time -- that is, the underlying data is correct, it's just the viewer that is causing the apparent skew. Unless you see some other sign that the raw data fields are also receiving the wrong time, I wouldn't worry about this.
Thanks for the answer, the raw logs received in to ES were in my local timezone, but ES what I think was happening was ES assumed they were UTC and added +2 hours when storing them which meant I could not see any data unless I moved the time scale 2 hours forward.
After modifying the manifest.yml file in the panw modules folder to the following everything seemed to resolve and the logs and timestamps are now correct
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
