I've noticed that the @timestamp and the timestamp in the message do not match. I'm using Filebeats to push syslog to my ES cluster.
Here's a screenshot of what I'm talking about. I'm currently using the index template what ships with Filebeat. How do I get the @timestamp and the timestamp from the syslog to match?
@timestamp is the time that Filebeat read the line. Filebeat does not parse the lines it reads so I does not have any awareness that there is a timestamp in the line that it read.
To parse the data out of the line you need to send the data to Logstash and configure Logstash to enrich the data sent to Elasticserach. The Getting Started guide describes how to configure Filebeat to ship data to Logstash.
Once the you have the data going to Logstash you can use a grok filter to make sense of the unstructured syslog lines and replace the @timestamp value or add a second timestamp field.
Thanks Andrew for your input.
Could you fix it? I have the same problem.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
