I have a Paloalto firewall configured with the local timezone Europe/Paris sending syslog to a Filebeat Docker container using the default timezone of UTC using the PANW module.
Setting var.convert_timezone: true does not seem to have an impact so the the logs are being incorrectly stored in ES with UTC+2.
What part of the configuration do I need to change for the timestamps to be correct?
Is there a way for me to specify what timezone the incoming logs are using?
It includes the timezone of the machine in the event.timezone field.
It adds a processor to the ingest pipeline to parse the timestamp using the timezone included in event.timezone.
So in principle your events will include the timezone of your filebeat (UTC), but you want to use (Europe/Paris). One thing you can try is to add a processor that sets a different timezone for the events coming from your machines in France. Something like:
processors:
- if:
<some condition that matches with your French machines>
then:
- drop_fields.fields: ['event.timezone']
- add_fields.fields:
event.timezone: 'Europe/Paris'
If you want to do this with all your events then there is no need to have the if/then blocks.
Oh, sorry for the mistake on the configuration, you are right
Can you check if the pipeline is making use of event.timezone? You may need to reinstall the pipeline if you changed the value of var.convert_timezone. Take a look to this topic for a similar issue with other module.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.