Log files are not current

rvaedex23 · March 24, 2016, 7:23pm

I am running the Kibana GUI and the log files are not current: This the output of the first log:

March 24th 2016, 15:17:08.747
message:2015-08-13 02:36:24,038 DEBUG [AptService] [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-1] Request APT :: Request ID : 157471, Priority

The time stamp is : March 24th 2016, 15:17:08.747
the message date is 8/13/2015. How come the log file doesn't generate the most current logs?
How can I correct this.

magnusbaeck · March 24, 2016, 7:25pm

It seems like you don't have a date filter to parse the date in the input logs.

rvaedex23 · March 24, 2016, 7:33pm

How can I do that?

michalterbert · March 24, 2016, 11:22pm

You should use a date filter, in your example:
Timestamp is: March 24th 2016, 15:17:08.747
i used this: joda.timeFormat
Snippet below should works

filter{
date { match => ["MMMM dddd YYYY, HH:mm:ss.SSS"] }
}

rvaedex23 · March 25, 2016, 12:41am

Sorry I am new to ELK.

I have 4 files /etc/logstash/conf.d
rw-r--r--. 1 root root 194 Mar 10 13:32 02-beats-input.conf
-rw-r--r--. 1 root root 155 Mar 22 10:15 10-syslog.conf
-rw-r--r--. 1 root root 470 Mar 24 20:24 10-syslog-filter.conf
-rw-r--r--. 1 root root 220 Mar 23 14:26 30-elasticsearch-output.conf

Do I put the code in here, this the contents of file 10-syslog-filter.conf, where would I put it exactly.

filter {

if [type] == "syslog" {

grok {

  match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }

  add_field => [ "received_at", "%{@timestamp}" ]

  add_field => [ "received_from", "%{host}" ]

}

syslog_pri { }

date {

  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]

}

}

magnusbaeck · March 25, 2016, 10:04am

The field name is missing. Should be something like:

date { match => ["name-of-field-with-timestamp", "MMMM dddd YYYY, HH:mm:ss.SSS"] }

magnusbaeck · March 25, 2016, 10:07am

That date filter is for syslog messages but the message with the incorrect timestamp doesn't look like a syslog message. It probably came via the beats input, and those message are apparently not processed by a working date filter.

rvaedex23 · March 25, 2016, 12:45pm

so where would I put the date field?

magnusbaeck · March 25, 2016, 1:33pm

Put it in whatever configuration file you have for parsing the events that arrive via the beats input. If you're not parsing those events you should start doing that. Since you have a separate file for taking care of syslog events I suggest you create a similar one for dealing with events arriving via the beats input.

Topic		Replies	Views
Logstash filter not working as expected Logstash	13	3545	June 8, 2017
Date filter return _dateparsefailure Logstash	5	313	December 22, 2020
Logstash date extraction in logs Logstash	17	3216	April 10, 2019
@timestamp not match with the log date Logstash	9	8028	April 18, 2017
Problem Kibana Timestamp - log date Logstash	2	427	March 7, 2018

Log files are not current

Related topics