Disclaimer: ELK beginner
Hi. So I just upgraded my Logstash (2.x) to 5.1.1. Prior to this, I had VPN logs.
When I started logstash, my previous VPN logs had their timestamps changed. All entries now have the current date and it's not what I need to see on the graphs. I am supposed to have the VPN logins per day but now it shows all my logins happening today.
Now I had this grok right here before
if [type] == "openvpn" {
grok {
match => { "message" => "%{WORD:timestamp_day} %{SYSLOGTIMESTAMP:openvpn_timestamp} %{NUMBER:timestamp_year} %{IP:openvpn_client}\:%{POSINT:openvpn_pid} %{GREEDYDATA:openvpn_message}" }
}
}
Luckily, I have recorded the 'original' timestamp when the log was made through 'openvpn_timestamp'. I guess I would not be having a problem for future entries.
I am misunderstanding the @timestamp field. I thought it automatically converts to the time when the log was made, not when the log was pushed to logstash. Is this correct?
Also, Is there any way I can revert the entries back to their original timestamp?
