How to rectify wrong UTC offset value

ruranga · December 30, 2019, 10:58am

Hi,
I sending my Symantec proxy (Bluecoat) logs to ELK stack. The date formats is as follows
"[dd/MMM/YYYY:HH:mm:ss Z]"
"[30/Dec/2019:15:34:11 +0550]"

Unfortunately due to a bug in current SGOS (proxy firmware) version Proxy logs sends the +0550 as the UTC offset which is wrong for my timezone. I'm from Sri Lanka (Asia) and UTC offset should be +0530. Is there a way that I can rectify this 20 minutes error in logstash?

Thanks in advance!

Badger · December 30, 2019, 2:43pm

Use mutate+gsub to change it?

ruranga · January 1, 2020, 1:21am

Hi,
I have done with mutate+gsub. ut it seems like after the replacement that particular parameter ("localtime") doesn't detects as a parameter in date format. Is there a workaround that I can perform. Below is my logstash,conf

input {
beats {
type => "proxy_bluecoat"
port => 5044
}
}

filter {
if [type] == "proxy_bluecoat" {
# drop comment lines
if ([message] =~ /^#/) {
drop{}
}
csv {
columns => ["para1","para2", "para3", "para4", "localtime", "time_taken", "c_ip", "cs_username", "cs_auth_group", "x_exception_id", "sc_filter_result", "cs_categories", "cs_referer", "sc_status", "s_action", "cs_method", "rs_content_type", "cs_uri_scheme", "cs_host", "cs_uri_port", "cs_uri_path", "cs_uri_query", "cs_uri_extension", "cs_user_agent", "s_ip", "sc_bytes", "cs_bytes", "x_virus_id", "x_bluecoat_application_name", "x_bluecoat_application_operation", "x_bluecoat_application_groups", "cs_threat_risk", "r_ip"]
separator => " "
}

mutate {
    gsub => [
      "localtime", "0550", "0530",
    ]
  }

if [localtime] {
  date {
       match => ["localtime", "[dd/MMM/YYYY:HH:mm:ss Z]"]
  }
}

if ([r-ip] and [r-ip] != "-") {
  geoip {
    source => "r-ip"
  }
}

mutate {
  convert => ["sc_bytes", "integer",
              "time_taken", "integer",
              "r_port", "integer",
              "s_port", "integer",
              "cs_bytes", "integer",
              "duration", "integer",
              "cs_threat_risk", "integer"
              ]
}

if [cs_user_agent] != "" {
  useragent { source => "cs_user_agent" prefix => "user_agent." }
}

if ([cs_categories] and [cs_categories] != "" and [cs_categories] != "-") {
    mutate {
        split => { "cs_categories" => ";" }
    }
}

mutate {
  remove_field => ["message", "host", "date", "time", "timestamp", "gmttime", "para1", "para2", "para3", "para4"]
}

}
}

output {
if [type] == "proxy_bluecoat" {
#stdout { codec => rubydebug }
elasticsearch {
index => "syslogs-%{[type]}-%{+YYYY.MM.dd}"
hosts => ["elasticsearch:9200"]
#index => "logstash-%{[type]}-%{+YYYY.MM.dd}"
}
}
}

Badger · January 1, 2020, 2:21am

By default, the date filter will modify [@timestamp]. If you want to overwrite [localtime] then you have to set the target option on the date fitler.

system · January 29, 2020, 2:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.