Last Seen timestamp under Hosts section appears to be incorrect

I've just been trying the new SIEM stuff out and i fired a load of data in from auditbeat, filebeat, and packetbeat on a CentOS 7 box.

When I looked at the Hosts section in the SIEM part of Kibana I noticed the value for the Last Seen field was set as a timestamp in the future (Nov 11, 2019 @ 03:43:02.000).

I tracked the timestamp and event down to an entry in an old rolled-over messages log (/var/log/messages-20181111) from November last year so it looks like the system module of filebeat thinks the message was actually from November this year!

Has anybody else seen this issue?

/var/log/messages doesn't contain the year in its log messages, so Filebeat can't really know that it's from 2018. You could ignore the whole file with the ignore_older setting in Filebeat. Or you can manually change the year to 2018 while ingesting the data.

1 Like

Thanks, I'll give the ignore_older setting a go :wink:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.