Timestamp issue with Cisco ios module

Hello together,

If i use the Cisco ios module, i have an issue with the timezone. The field @timestamp contains Z instead of +2.00 (from MEST).

Here my example:

Here the input logline:

Apr 13 08:59:29 test.ch 2916048: Apr 13 08:59:28.195 MEST: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface GigabitEthernet1/0/9 AuditSessionID 0A06DF0B000004B68EDDDA54. Failure reason: Authc fail. Authc failure reason: Missing Config.

Here a part of the JSON in elastic:

"@timestamp": "2021-04-13T08:59:28.195Z",
"event": {
      "severity": 5,
      "sequence": 2916048,
      "code": "FAIL",
      "timezone": "+02:00",
      "module": "cisco",
      "dataset": "cisco.ios"
    }

For now i solved this with a painless script like:

{
    "script": {
      "lang": "painless",
      "source": """
      ctx['@timestamp'] = ZonedDateTime.parse(ctx['@timestamp']).minusHours(Integer.parseInt(ctx.event.timezone.substring(1,3)));
      """, 
      "ignore_failure": true
    }
  },
  {
    "date": {
      "field": "@timestamp",
      "target_field": "@timestamp",
      "formats": [
        "ISO8601"
      ],
      "timezone": "Europe/Zurich",
      "ignore_failure": true
    }
  }

But this is not the "nice" way.

The time on the server who's filebeat running is correct.

Is that a bug from the Cisco ios module?
Any ideas?

Kind regards,
Patrick

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.