Hello,
Messages before 1PM (5AM UTC) china time never appeared in graylog. New messages start piping at 1:00PM. All messages before 1:00 never arrived.
I have light setup: linux, filebeat, sidecar, graylog, with just 2 log files parsed and pushed to the graylog.
Log files created at the morning ~8AM China and data starts (explicitly flushed) into it.
Filebeat start pushing data into graylog, but graylog does not display anything until 1PM.
After 1PM everything works as expected. However both filebeat and graylog run on machines with China timezone. Graylog says server time is China local time. Noticeably that 1PM in China is midnight in our chicago office.
Pattern is consistent across the dates and all machines in here.
Any suggestion where to look next?
filebeat.inputs:
- input_type: log
paths:
- /home/user1/log_*.log
type: log
output.logstash:
hosts: ["loghost.com:5044"]
path:
data: /var/lib/graylog-sidecar/collectors/filebeat/data
logs: /var/lib/graylog-sidecar/collectors/filebeat/log
Beats configuration:
bind_address: 0.0.0.0
no_beats_prefix: false
number_worker_threads: 4
override_source:
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********