Kibana is using browser timezone and logs like ufw and auth to show correctly in Kibana.
When viewing the timeline in Kibana the current syslog logs (system module) being displayed are 5 hours behind as opposed to the auth and ufw logs (configured in filebeat.yml) which are being written at the current time.
We're not using custom fields. Everything is vanilla at this point.
Example syslog doc:
@timestamp February 28th 2018, 12:16:37.000
_index filebeat-6.2.2-2018.02.28
_score -
_type doc
beat.name es-01
beat.version 6.2.2
fileset.module system
fileset.name syslog
offset 5,651,821
prospector.type log
source /var/log/syslog
system.syslog.hostname XXXXXXXXXXXXXXXXX
system.syslog.message
{"type":"response","@timestamp":"2018-02-28T22:16:37Z","tags":[],"pid":19682,"method":"get","statusCode":200,"req":{"url":"/ui/favicons/favicon-16x16.png","method":"get","headers":{"connection":"upgrade","host":"XXXXXXXXXXXXXXXXX","x-real-ip":"XXXXXXXXXXXXXXXXX","x-forward-for":"XXXXXXXXXXXXXXXXX, XXXXXXXXXXXXXXXXX","x-forward-proto":"http","x-nginx-proxy":"true","accept-encoding":"gzip","cf-ipcountry":"US","x-forwarded-for":"XXXXXXXXXXXXXXXXX","cf-ray":"3f46bfd07ab157b3-IAD","x-forwarded-proto":"https","cf-visitor":"{"scheme":"https"}","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36","accept":"image/webp,image/apng,image/,/*;q=0.8","referer":"https://XXXXXXXXXXXXXXXXX/app/kibana","accept-language":"en-US,en;q=0.9","cf-connecting-ip":"XXXXXXXXXXXXXXXXX"},"remoteAddress":"127.0.0.1","userAgent":"127.0.0.1","referer":"https://XXXXXXXXXXXXXXXXX"},"res":{"statusCode":200,"responseTime":3,"contentLength":9},"message":"GET /ui/favicons/favicon-16x16.png 200 3ms - 9.0B"}
system.syslog.pid 19682
system.syslog.program kibana
system.syslog.timestamp Feb 28 17:16:37