Not able to convert IIS Log Time to Australian Time Zone

Nitin_G · April 20, 2018, 12:27pm

Hi

I want to convert the IIS Logs time to Australia/Sydney time. Here is my Config code-

grok {

match => {"message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{IPV4:s-ip} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{BASE10NUM:s-port} %{NOTSPACE:cs-username} %{IPV4:c-ip} %{NOTSPACE:cs(User-Agent)} %{NOTSPACE:cs(Referer)} %{BASE10NUM:sc-status} %{BASE10NUM:sc-substatus} %{BASE10NUM:sc-win32-status} %{BASE10NUM:time_taken}"}
}

date {
match => [ "log_timestamp", "yyyy-MM-dd HH:mm:ss"]
timezone => "Australia/Sydney"
target => "log_timestamp"
}

This log_timestamp should be converted to AEST.
Please help me to get it resolved.

magnusbaeck · April 22, 2018, 8:25pm

The date filter always converts to UTC. This is not configurable. This has been discussed many times in the past so I will not elaborate further.

anhlqn · April 24, 2018, 10:44pm

IIS already stores logs in UTC time, so you just need to tell Logstash that the timestamp is already in UTC

date {
            match => ["log_timestamp", "yyyy-MM-dd HH:mm:ss"]
            timezone => "Etc/GMT"
        }

Kibana will then display the log based on your browser's timezone.

system · May 22, 2018, 10:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.