Option to send local server timezone using filebeat

Filebeat version : 5.0.0. Alpha 5.
Logstash version : 2.3.2
OS : Red Hat 7.x

I'm currently using filebeat to parse log files for an application that writes log entries using this format :
[2016-09-08 08:26:06.242] ALL MyManager my message

Notice how the timestamp doesn't store timezone information. While it's a bad practice on the application part, it's not always something I can control.

I have this application running on servers in multiple timezones, all sending their logs to the same Logstash server.

When I parse the logs with Logstash, it will assume that the logs are either in UTC or the Logstash server timezone, neither of which is accurate for all the logs.

I found a workaround for this by stamping the server timezone in my Filebeat config :
localTimezone: EST

I then need to adjust this file on every new server (or automate it by writing a configuration generation script).

Would it help to offer an option to automatically stamp the local server timezone in every filebeat ?

I think that sounds like a reasonable feature request. Is the TZ environment variable set? If yes you can reference it in the configuration, see https://www.elastic.co/guide/en/beats/filebeat/current/using-environ-vars.html.

That said, it's better to save the timezone offset than the timezone name since the latter is ambiguous (for example, CST could mean UTC-6 or UTC-5 or UTC+8).

I wasn't aware of the environment variable options, so thanks for pointing it out. There isn't a TZ environment variable by default on my servers, but I can probably generate one.

Timezone changes between daylight savings time and standard time can also cause problems. A hardcoded configuration would have to be refreshed. The environment variable would need to be regenerated & filebeat restarted because the documentation indicates that environment variables are read at startup time.

This wouldn't be a problem with a native filebeat option to send the current timezone offset which may change over time.

There would be window of opportunity for filebeat to report invalid timezones during timezone transitions : If the log is generated at 11:59:30 EDT but it gets parsed by Filebeat with a 1 minute delay at 01:00:30 EST, the reported timezone would be EST on a EDT timestamp. The only solution for this is to modify applications to always write the timezone. So, considering how rarely this occurs, it would definitely be an improvement.

Sounds like it would be great to correlate time zone information to actual timestamps. With beats not supporting grok and not parsing timezone this is something maybe better dealt in in logstash. That is, instead of passing the current timezone, how about using location instead? Location + parsed timestamp can be used in logstash to figure the actual timezone (I hope).

This topic was automatically closed after 21 days. New replies are no longer allowed.