Logstash date filter performs a timeshift of 3 hours

pkaramol · June 13, 2018, 11:33am

Filtering some syslog logs (which are actually stored in a file as follows):

grok {
  match => { 'message' => '%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}' }
  add_field => [ 'received_at', '%{@timestamp}' ]
  add_field => [ 'received_from', '%{syslog_hostname}' ]
  add_field => [ 'unix_time', '0' ]
}

And then adding timestamp (should match a local_time field):

  date {
    target => "@timestamp"
    match => [ "local_time", "dd/MMM/yyyy:HH:mm:ss Z" ]
    # local_time="21/Jun/2015:23:45:39 +0300"
    locale => "en_us"
    tag_on_failure => ["no_date_match"]
  }

Here is an example local_time field value from my original logs:

local_time="15/Jun/2015:00:51:19 +0300"

However, my documents end up having a timestamp of 3hours behind (i.e. earlier) compared to what is mentioned in local_time

Badger · June 13, 2018, 11:56am

elasticsearch stores times as UTC. If your logs are not UTC then you need to supply the timezone option to the date filter to tell it what timezone they are in.

system · July 11, 2018, 11:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch / logstash Log time shift Logstash	7	220	June 7, 2023
Timestamp off(delay) 5 hours Logstash	8	1264	December 7, 2018
@timestamp not updated using date filter Logstash	3	483	October 3, 2019
Different Timezones in syslog for some hosts Logstash	1	242	June 23, 2022
Date parsing logstash Logstash	5	183	January 30, 2024

Logstash date filter performs a timeshift of 3 hours

Related topics