Hi, my centralized syslog server is in timezone EST, logstash reads /var/log/messages (file input) on this server. Some of the servers sending syslog data are in timezone CST. If I do any searches 1 hour or less old, I do not see any data from the servers in CST.
cat /etc/logstash/conf.d/10-syslog.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
For messages from CST servers, I see received_at showing time in EST, and the one hour difference as shown from syslog_timestamp.
Also using filebeat to send data to above logstash, all its timestamps are in CST.
How can I get the data from CST servers to display as well as the data from EST servers?