Hello,
Our setup is:
Winlogbeat on endpoints which ships data to an API
API sends logs to sqs queue
Logstash VM picks up from sqs and contextualises logs then forwards them on to another sqs queue
Another application processes those logs and indexes them into ES
Our issue is that the @timestamp value that is being indexed into Elasticsearch is at a later date than the event.created value. Which means that the processed time is BEFORE the event occured on the endpoint (which is obviously incorrect)
Based on this statement:
event.created contains the date/time when the event was first read by an agent, or by your pipeline.
This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
Could it be that our logstash VM that sits in the middle of the Winlogbeat agents and Elasticsearch is updating the @timestamp value to be the time that logstash processes it and not the time that the original event occurred on the endpoint?