Logs dont have date in timestamp

Elastic Stack Logstash
1

hi!
using logtash I collect logs from communigate, but they come with a timestamp without a date

15:32:37.159 SMTPI-875156([40.11.11.11]) [33221] received encrypted, 9618 bytes
15:32:37.160 QUEUE([33221]) from 9618 bytes (<20d2482083869c9564da3@loc.com>)
15:32:38.263 QUEUE([33221]) enqueued

my grok:

%{TIME:time} %{GREEDYDATA:msg}

to specify the exact time of the event in @timestamp, I need to pass the time from the %{time} field and a date that is not in the original log to it

i do use mutate and %{+YYYY-MM-dd}:

mutate {
    add_field => { "timestampday" => "%{+YYYY-MM-dd} %{time}" }
    }

if [timestampday] {
         date {
             match => [ "timestampday", "YYYY-MM-dd HH:mm:ss.SSS" ]
             target => "@timestamp"
        }
    }

but, right after at 23:59, the logs began to come with the date 01/01/2023, and not the current date of the logstash server. apparently in %{+YYYY-MM-dd} another date was transferred

how can i fix it?
maybe there is a solution to the problem or maybe there are other options how to pass the date to @timestamp for a log that does not have a date, but only a timestamp?

2

one thing you can do to match you server time is, you can use timezone filter and give the timezone of your server which it is running in.

Below is just an example:

date {
match => { "timestamp" , "yyyyMMdd HHmmss SSS" }
timezone => "CST6DCT"
}
3

i found a solution: simply split the date from the incoming syslog log grok

%{MONTH:month} %{MONTHDAY:monthday} %{TIME:date_time}

into separate months and days and substituted them into a new field, after which this field was sent to the timestamp

mutate {
        add_field => { "timestampday" => "%{month} %{monthday} %{timestamp}" }
    }
date {
        match => [ "timestampday", "MMM d HH:mm:ss.SSS" ]
        target => "@timestamp"
    }
1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.