[Still Not Solved!] Filebeat cannot recognize timezone in syslog

cosloli · July 30, 2019, 10:14am

I have deleted filebeat-7.2.0-system-syslog-pipeline and filebeat-7.2.0-system-auth-pipeline

Then I ran filebeat using the configuration like this:

/usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat -E filebeat.overwrite_pipelines=true

Then I use GET /_ingest/pipeline?pretty, but I couldn't find any new pipeline created.

The whole pipeline list after restarting the filebeat is here.

cosloli · July 30, 2019, 10:17am

well... my apology, the new pipeline has been created, and it has a timezone property!
I looked further and found that only these pipelines have the timezone property:

filebeat-7.2.0-system-syslog-pipeline (recreaeted)
filebeat-7.2.0-system-auth-pipeline (recreated)
filebeat-7.2.0-elasticsearch-server-pipeline
filebeat-7.2.0-elasticsearch-slowlog-pipeline
filebeat-7.2.0-elasticsearch-audit-pipeline

Is that normal?

Unluckily, the @timestamp in syslogs are still incorrect... The timezone configuration in syslog now is like:

"timezone" : "{{ event.timezone }}"

cosloli · July 31, 2019, 4:44am

There's other developers facing the same problems as mine! I hope you could figure out the problem and fix it. It will be so helpful.

TsuWeiQuan · July 31, 2019, 5:37am

Hello,

I have the same problem on Filebeat's elasticsearch module but it work's fine for the system module.
Let me share what i have done to fix it. However, my ELK stack is on development and not for production, hence following my procedure might cause loss of data.

My server timezone is in UTC +8:00 (Singapore)
Enabling var.convert_timezone: true converts my server timezone into UTC, which means - 8 hours.
On Kibana, Timezone for date formatting was left as default where it reads the timezone of the browser and +8 hours back from UTC.
Hence, showing the correct timing.

Re-indexing and Recreating Pipeline

Stop Filebeat on all instance that utilize the old pipeline
$ systemctl stop filebeat
Enable UTC time conversion in system.yml
Delete pipelines
$ curl -XDELETE 'http://esnode1:9200/_ingest/pipeline/filebeat-*'
Delete Related Indicies @ Index Management
Since the logs shown in kibana are in wrong time, we should reindex all the logs
In kibana, navigate to management > index management > select the index that stores the server logs
Delete it
Recreate the index
$ filebeat setup -e
$ filebeat setup --pipelines -modules="system"
Restart filebeat
$ systemctl start filebeat
Observer logs tab on kibana and it should show logs with the correct timing.

cosloli · July 31, 2019, 6:02am

Alright! I'll have a try. I have the problem on system as well as elasticsearch LOL.

system · August 28, 2019, 6:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.