I am using version 7.2.0 and have system module enabled. What I am seeing is that when an event occures lets say at 6PM. When this event is sent to elasticsearch it assumes this is UTC and when opened in browser adjusts it to 2PM. However the event is really 6PM EST.
I see that there is a configuration value
processors:
However that seems to be doing nothing. How do I configure filebeat to pickup the value from the system config? And then keep it the same?
Me too. I have the same problem as yours. This is a real bug and the Elastic team hasn't solve it yet.
See this thread: [Still Not Solved!] Filebeat cannot recognize timezone in syslog
So there is no solution? I have set the convert time stamp to true in System module. I dont use logstash so filebeat sends directly to Kibana and its not converting the timestamp.
I had this problem with a different module. My solution only worked for me because the logs came through in real time. If you need an older timestamp, this probably won't work.
My current "workaround" is removing any timestamp-related modification in the ingest pipeline:
After editing this file, you have to delete the old ingest pipeline (the dev tools command will look something like this):
Once the old pipeline is deleted, restart filebeat. The new pipeline will be registered and the @timestamp should be current.
© 2018. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.