Hello together,
If i use the Cisco ios module, i have an issue with the timezone. The field @timestamp contains Z instead of +2.00 (from MEST).
Here my example:
Here the input logline:
Apr 13 08:59:29 test.ch 2916048: Apr 13 08:59:28.195 MEST: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface GigabitEthernet1/0/9 AuditSessionID 0A06DF0B000004B68EDDDA54. Failure reason: Authc fail. Authc failure reason: Missing Config.
Here a part of the JSON in elastic:
"@timestamp": "2021-04-13T08:59:28.195Z",
"event": {
"severity": 5,
"sequence": 2916048,
"code": "FAIL",
"timezone": "+02:00",
"module": "cisco",
"dataset": "cisco.ios"
}
For now i solved this with a painless script like:
{
"script": {
"lang": "painless",
"source": """
ctx['@timestamp'] = ZonedDateTime.parse(ctx['@timestamp']).minusHours(Integer.parseInt(ctx.event.timezone.substring(1,3)));
""",
"ignore_failure": true
}
},
{
"date": {
"field": "@timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"timezone": "Europe/Zurich",
"ignore_failure": true
}
}
But this is not the "nice" way.
The time on the server who's filebeat running is correct.
Is that a bug from the Cisco ios module?
Any ideas?
Kind regards,
Patrick