PANW module timezone offset

seatsea · July 19, 2019, 9:30am

I have a Paloalto firewall configured with the local timezone Europe/Paris sending syslog to a Filebeat Docker container using the default timezone of UTC using the PANW module.

Setting var.convert_timezone: true does not seem to have an impact so the the logs are being incorrectly stored in ES with UTC+2.

What part of the configuration do I need to change for the timestamps to be correct?
Is there a way for me to specify what timezone the incoming logs are using?

jsoriano · July 19, 2019, 2:52pm

Hi @seatsea and welcome

var.convert_timezone: true does two things:

It includes the timezone of the machine in the event.timezone field.
It adds a processor to the ingest pipeline to parse the timestamp using the timezone included in event.timezone.

So in principle your events will include the timezone of your filebeat (UTC), but you want to use (Europe/Paris). One thing you can try is to add a processor that sets a different timezone for the events coming from your machines in France. Something like:

processors:
  - if:
       <some condition that matches with your French machines>
    then:
      - drop_fields.fields: ['event.timezone']
      - add_fields.fields:
          event.timezone:  'Europe/Paris'

If you want to do this with all your events then there is no need to have the if/then blocks.

seatsea · July 23, 2019, 9:52am

Thanks for the answer

Using your configuration, the timezone would appear separately like this:

"fields": {
        "event": {
    "timezone": "Europe/Paris"
  }
}

So I used this configuration which seems to work

filebeat.modules:
- module: panw
  panos:
   enabled: true
   var.syslog_host: 0.0.0.0
   var.syslog_port: 9001
   var.convert_timezone: true # I'm not sure if this is having any effect

processors:
 - drop_fields.fields: ['event.timezone']
 - add_fields:
    target: event
    fields:
     timezone:  'Europe/Paris'

output:
 elasticsearch:
  hosts: ["es01:9200"]


setup.kibana:
 host: "Kibana:5601"

However, the logs still have the incorrect timestamp. For example
"@timestamp": [
"2019-07-23T11:46:15.000Z"
],

When the local Paris time is 11:46

jsoriano · July 23, 2019, 10:17am

Oh, sorry for the mistake on the configuration, you are right

Can you check if the pipeline is making use of event.timezone? You may need to reinstall the pipeline if you changed the value of var.convert_timezone. Take a look to this topic for a similar issue with other module.

seatsea · July 23, 2019, 10:33am

Adding filebeat.overwrite_pipelines: true to the configuration seems to have done the trick as no new logs are being added with a time in the future.

Thanks for your help!

system · August 20, 2019, 10:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.