Hello, i have a problem with filebeat haproxy module.
All logs are parsed directly from filebeat 7.5.0 to elk 7.5.0 but the Lines with SSL handshakre failure are displayed on hour in the future.
Here my json output:
{
"_index": "filebeat-7.5.0-2020.03.05-000024",
"_type": "_doc",
"_id": "CGQTsHAB44abDEp1fnUS",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "haproxy",
"id": "4d23cae7-e2c2-4c29-b545-****252b05b",
"type": "filebeat",
"ephemeral_id": "b479422c-1d86-*****-****-b657cbc1cc08",
"version": "7.5.0"
},
"process": {
"name": "haproxy",
"pid": 7678
},
"log": {
"file": {
"path": "/var/log/haproxy.log"
},
"offset": 177032605
},
"source": {
"geo": {
"continent_name": "****",
"region_iso_code": "****",
"city_name": "***",
"country_iso_code": "**",
"region_name": "******",
"location": {
"lon": ***,
"lat": ****
}
},
"as": {
"number": 3320,
"organization": {
"name": "*****"
}
},
"address": "*****",
"port": *****,
"ip": "*****"
},
"fileset": {
"name": "log"
},
"input": {
"type": "log"
},
"@timestamp": "2020-03-06T14:40:30.478Z",
"ecs": {
"version": "1.1.0"
},
"service": {
"type": "haproxy"
},
"host": {
"hostname": "haproxy",
"os": {
"kernel": "*****",
"codename": "****",
"name": "****",
"family": "****",
"version": "***** 1*.0*",
"platform": "***"
},
"containerized": false,
"name": "haproxy",
"id": "01fabdf80b364fa1a051196c3be9e04f",
"architecture": "x86_64"
},
"haproxy": {
"error_message": "SSL handshake failure",
"bind_name": "1:",
"frontend_name": "****SSL"
},
"event": {
"module": "haproxy",
"dataset": "haproxy.log"
}
},
"fields": {
"suricata.eve.timestamp": [
"2020-03-06T14:40:30.478Z"
],
"@timestamp": [
"2020-03-06T14:40:30.478Z"
]
},
"highlight": {
"haproxy.error_message": [
"SSL handshake @kibana-highlighted-field@failure@/kibana-highlighted-field@"
]
},
"sort": [
1583505630478
]
}
Here you can see the wrong timestamp.
Can you help me to understand and maybe fixing it?