I am using filebeat 6.7.1 with the system, iptables, traefik and apache2 modules. For some reason I am having issues with @timestamp being incorrect for system (from /var/log/syslog* and /var/log/auth.log*) and iptables (from /var/log/kern.log*) logs.
These logs are written with timestamps according to the timezone CET / CEST (Europe/Berlin), currently UTC+2. Filebeat is running in a container with the same timezone information.
date gives the same date, time and timezone on the host and in the container.
For some reason the @timestamp is neither UTC nor UTC+2, but unfortunately rather UTC+4. This happens regardless of
convert_timezone being true or false. This option only affects
beat.timezone being 00:00 or 02:00.
For the other log files, like apache2 and traefik this issue does not happen, because the log lines already contain the timezone information in the timestamps.
Does anyone have any idea about this issue or experienced the same? What am I doing wrong, besides unfortunately not using UTC for all log files and systems.
Thanks and best regards,