Suricata logs over Filebeat

Hi.

I am sending Suricata logs with filebeat to a ELK server. I have the eve.json configured to rotate every day at midnight.

Logs are being sent to elastic and I can see them in the dashboards and discover tabs. But in fact, it not shows the current logs. I have to select the 24h period and then the logs are shown with the correct timestamp (but from hours ago). For example, now are being shown logs from today at midnight. At the time of this post, it´s currently 7pm. So there's like a 20h hour difference.

How can I solve this issue?

I would check the timestamps of the raw log files, the time & time zone of both the system running suricata and your workstation. The most common cause of time issues that I've had is timezones not being correct.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.