Hello,
i have set up logstash to get logs from syslog palo alto.
in kibana under discover i see thetimestamp like February 9th 2018, 10:00:54.000 and the datefileds like TimeLogged:February 9th 2018, 11:00:53.000
The timestamp is right and kibana is configured to use Browsertimezone.
I think the problem is that the date fields that logstash is reciving are already set with the right timezone (+1) and when i see it in discover kibana adds another +1. how can i configure kibana or logstash to set the corect timezone on the logs i recive?
The Logstash date filter plugin allows to specify the timezone used for date parsing. By default, if the date/time does not contain any information about time offsets, it's interpreted as UTC.
Thanks! I have try but i cant get it right!
here is my logstash conf
input {
syslog {
port => "5514"
type => "syslog"
tags => [ "PAN-OS_syslog" ]
}
}
filter {
if "PAN-OS_syslog" in [tags] {
# Log types are "TRAFFIC", "THREAT", "CONFIG", "SYSTEM" and "HIP-MATCH".
# Traffic log fields: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/syslog-field-descriptions#_41809
if ([message] =~ /TRAFFIC/) {
csv {
source => "message"
columns => [
"FUTURE_USE", "ReceiveTime", "SerialNumber", "Type", "Threat_ContentType", "FUTURE_USE",
"GeneratedTime", "SourceIP", "DestinationIP", "NATSourceIP", "NATDestinationIP", "RuleName",
"SourceUser", "DestinationUser", "Application", "VirtualSystem", "SourceZone", "DestinationZone",
"InboundInterface", "OutboundInterface", "LogForwardingProfile", "TimeLogged", "SessionID",
"RepeatCount", "SourcePort", "DestinationPort", "NATSourcePort", "NATDestinationPort", "Flags",
"Protocol", "Action", "Bytes", "BytesSent", "BytesReceived", "Packets", "StartTime", "ElapsedTime",
"URLCategory", "FUTURE_USE", "SequenceNumber", "ActionFlags", "SourceLocation",
"DestinationLocation", "FUTURE_USE", "PacketsSent", "PacketsReceived", "SessionEndReason",
"DeviceGroupHierarchyLevel1", "DeviceGroupHierarchyLevel2", "DeviceGroupHierarchyLevel3",
"DeviceGroupHierarchyLevel4", "VirtualSystemName", "DeviceName", "ActionSource", "SourceVMUUID",
"DestinationVMUUID", "TunnelID_IMSI", "MonitorTag_IMEI", "ParentSessionID", "ParentStartTime",
"TunnelType"
]
}
mutate {
convert => [ "Bytes", "integer" ]
convert => [ "BytesReceived", "integer" ]
convert => [ "BytesSent", "integer" ]
convert => [ "ElapsedTime", "integer" ]
convert => [ "GeoIP.dma_code", "integer" ]
convert => [ "GeoIP.latitude", "float" ]
convert => [ "GeoIP.longitude", "float" ]
convert => [ "NATDestinationPort", "integer" ]
convert => [ "NATSourcePort", "integer" ]
convert => [ "Packets", "integer" ]
convert => [ "PacketsReceived", "integer" ]
convert => [ "PacketsSent", "integer" ]
convert => [ "SequenceNumber", "integer" ]
add_tag => [ "PAN-OS_traffic"]
}
date {
match => [ "ReceiveTime" , UNIX, "%Y/%m/%d %H:%M:%S" ]
timezone => "Europe/Rome"
}
}I have add the date part but the recivetime field is still +1 in kibana and the timestamp is right
As an alternative to using the date filter, you can also set the timezone parameter on the syslog input plugin.
Same result 
Time ReceiveTime
February 12th 2018, 07:48:35.000 February 12th 2018, 08:48:34.000
input {
syslog {
port => "5514"
type => "syslog"
timezone => "Europe/Rome"
tags => [ "PAN-OS_syslog" ]
}
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.