Timestamp off(delay) 5 hours

netvmdb · November 9, 2018, 4:00pm

Running version 6.2.4. Multiple logstash and each for different log type, like messages, secure... Index for messages log is off 5 hours. Everything else is correct. All logstash.conf files are similar. Here is the filter part of logstash.conf for messages log.

filter {
  if [type] == "messages" {
	grok {
	  match => { "message" => [ "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}",
							  "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" ] }
	  add_field =>  {
		"received_at" => "%{@timestamp}"
		"received_from" => "%{host}"
	  }
	}
	date {
	  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	mutate {
	  replace => { "syslog_timestamp" => "@timestamp" }
	}
  }
}

Thanks,
netvmdb

netvmdb · November 9, 2018, 6:27pm

In kibana,

@timestamp: November 9th 2018, 05:49:03.000
message: Nov 9 10:49:03

All other indices have correct timestamp, which the @timestamp is same as the time from message. But this one is different.

Christian_Dahlqvist · November 9, 2018, 7:01pm

Timestamps in Elasticsearch are always in UTC timezone. Kibana can adjust to the local timezone in the UI, but does not alter the source document. Are you by any chance located in a place that is 5 hours off UTC?

netvmdb · November 9, 2018, 7:41pm

I am in east time zone. Didn't set timezone either in Elasticsearch nor in Kibana.
When I create index pattern in Kibana, after enter index pattern, I select "@timstamp" from dropdown under "Time Filter field name".

In logstash.conf, I extract timestamp from message and assign it to "syslog_timestamp". Then replace "@timestamp" with value from "syslog_timestamp". I have several other type of logs, they all match @timestamp with timestamp from message. Only this index it doesn't match.

Christian_Dahlqvist · November 9, 2018, 8:01pm

If the timestamp is not in the local timezone when logs are generated, you may need to specify timezone in the date filter. I think Logstash by default assumes the timestamp is in the same timezone as the host where it is being processed.

netvmdb · November 9, 2018, 8:17pm

Could you show me how to specify timezone in date filter? My logstash.conf is on top of post.
Thanks.

Christian_Dahlqvist · November 9, 2018, 9:49pm

I am not at a computer now, but I believe there should be an example in the documentation.

netvmdb · November 9, 2018, 11:03pm

I got it.
timezone => "America/New_York"

Thanks for your help, Christian.

system · December 7, 2018, 11:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Different Timezones in syslog for some hosts Logstash	1	242	June 23, 2022
Logstash date filter performs a timeshift of 3 hours Logstash	2	772	July 11, 2018
Logstash not ignoring syslog event date Logstash	3	675	July 6, 2017
Set timestamp from message Logstash	5	2693	April 30, 2021
Logstash Syslog @timestamp incorrect Logstash	9	1930	March 5, 2019

Timestamp off(delay) 5 hours

Related topics