Hi There,
We have incoming IIS logs configured for UTC (currently 16:21 at the time of this writing). If I look at the logs in Kibana, since my browser is in PST (9:21 AM), it is showing the UTC logs from 9:21, not the recent ones at 16:21.
Here is the Grok filter:
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{DATA:service-name} %{DATA:hostname} %{IPV4:site} %{DATA:method} %{URIPATH:page} %{NOTSPACE:querystring} %{INT:port} %{NOTSPACE:username} %{IPV4:clienthost} %{NOTSPACE:useragent} %{DATA:referer} %{INT:response} %{INT:subresponse} %{INT:scstatus} %{INT:bytes-s:int} %{INT:bytes-r:int} %{INT:response-ms:int}"]
}
date {
match => ["log_timestamp", "YYYY-MM-dd HH:mm:ss Z"]
timezone => "Etc/UTC"
}
I have added the timezone parameter, as well as tried appending "Z" to the timestamp match. However, Kibana continues to show logs hours prior because of the timezone mismatch.
I did see this report, but am unsure if there's a way to work around this: