Greetings, we're VERY new to the Elastic stack. What we've got working so far running on Oracle Linux 7 (RHEL7 clone) using the 6.3 (latest) versions installed via YUM.
filebeat-6.3.1-1.x86_64
All our systems are configured to run in local time (MDT) not UTC.
filebeat is configured with the 'system' module enabled for output.elasticsearch and we've confirmed that we're getting data (and dashboard objects) in Kibana. Initial setup was fine, but we noticed all of our data in Kibana showed up -6 hours in the past (which matches our Timezone offset). So I did a fair amount of my own research before finally arriving at the 'system' module config file and the 'var.convert_timezone' parameter. We set this to 'true', and got a partial solution.
All the data from /var/log/messages (defined via syslog) now gets stuffed correctly and shows up in Kibana at the correct time, but all the data harvested from /var/log/secure (defined via auth) still shows up 6 hours in the past.
I could really use some help tracking down where in the module (/usr/share/filebeat/module/system) to change to get the timezone conversion working for both components of this module.
Thanks!
Our: /etc/filebeat/modules.d/system.yml
- module: system
# Syslog
syslog:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
var.convert_timezone: true
# Authorization logs
auth:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
var.convert_timezone: true
# end