Logstash not applying correct system time to ingestion timestamp

Anthony_Zottola · June 13, 2023, 2:39pm

Hello, I live in the NA East timezone so currently we are 4 hours behind UTC,
I understand that logstash puts the @timestamp in UTC but it is putting in the wrong time.
Logstash parsed a log at 10:30 am in my timezone (Which is 2:30 pm UTC)

"@timestamp" => 2023-06-13T10:29:59.000Z,

But as you can see it says it is 10:30 am UTC which is not correct as it is 4 hours behind.

When I put the date command into the server to see the time it shows:

Tue Jun 13 02:30:31 PM UTC 2023

Badger · June 13, 2023, 3:08pm

How are you creating the [@timestamp] field?

Anthony_Zottola · June 13, 2023, 3:14pm

It is automatically created by logstash itself.
This is the conf file that is being run

input {
    syslog {
        port => 5014
    }
}
filter {
}

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        user => "elastic"
        password => "changeme" 
        index => ["syslog"]
    } 
    stdout { 
        codec => rubydebug 
    }
}

Anthony_Zottola · June 14, 2023, 4:53pm

After doing more research and finding this: Logstash Syslog @timestamp incorrect - #7 by BenB196

I fixed the issue by adding the timezone to my syslog input:

input {
    syslog {
        port => 5014
        timezone => "America/New_York"
    }
}

system · July 12, 2023, 4:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
@timestamp value for syslog input not in UTC Logstash	2	114	April 3, 2024
Logstash Syslog @timestamp incorrect Logstash	9	1930	March 5, 2019
Different Timezones in syslog for some hosts Logstash	1	242	June 23, 2022
Why my @timestamp shows wrong hour when overwritten? Logstash	3	373	December 26, 2021
Elasticsearch and Logstash Timestamp error Elasticsearch	2	338	November 1, 2018

Logstash not applying correct system time to ingestion timestamp

Related topics