I've just been trying the new SIEM stuff out and i fired a load of data in from auditbeat, filebeat, and packetbeat on a CentOS 7 box.
When I looked at the Hosts section in the SIEM part of Kibana I noticed the value for the Last Seen field was set as a timestamp in the future (Nov 11, 2019 @ 03:43:02.000).
I tracked the timestamp and event down to an entry in an old rolled-over messages log (/var/log/messages-20181111) from November last year so it looks like the system module of filebeat thinks the message was actually from November this year!
/var/log/messages doesn't contain the year in its log messages, so Filebeat can't really know that it's from 2018. You could ignore the whole file with the ignore_oldersetting in Filebeat. Or you can manually change the year to 2018 while ingesting the data.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
