TImezone in Elasticsearch logs

cheshirecat · September 2, 2022, 10:27am

Hello There!
I see that my logs for Elasticsearch have different timezone that my server.
For my server I have got set timezone:

'pią' is shortcut for 'piątek' that means 'Friday' in Polish.
My logs however got UTC timezone:

September 2, 2022 10:15:25 AM
	
INFO
	
Server
	
successfully reloaded changed geoip database file [/tmp/elasticsearch-12446836234446054485/geoip-databases/CVsfpe93TZqMenYYAvjJvA/GeoLite2-City.mmdb]
	
o.e.i.g.DatabaseNodeService
	
node-1
September 2, 2022 10:15:19 AM
	
INFO
	
Server
	
successfully reloaded changed geoip database file [/tmp/elasticsearch-12446836234446054485/geoip-databases/CVsfpe93TZqMenYYAvjJvA/GeoLite2-Country.mmdb]
	
o.e.i.g.DatabaseNodeService
	
node-1

Print screen:

What can I do to have same timezone for all settings, logs and indicies in my cluster?

warkolm · September 6, 2022, 1:10am

Elasticsearch assumes that the timestamp that you are passing to it is in UTC, and has a TZ in there as needed.

I guess it comes down to how you process your events, and if you are taking this into account.

cheshirecat · September 6, 2022, 6:55am

Thank you @warkolm for a reply.
Am I able to change timestamp to my timezone? I can't find it in docs but I have found this post. It is seven years old so I don't know will it still work.

warkolm · September 6, 2022, 7:56am

How are you ingesting data?

cheshirecat · September 6, 2022, 8:08am

I hope this is an answer for your question - my logstash.conf file looks like this:

input {
  beats {
    port => {{port_number_1}}
    ssl_key => '/etc/logstash/es.key.pem'
    ssl_certificate => '/etc/logstash/es.crt.pem'
    ssl => true
    host => "{{ip_address}}"
  }
}

output {
  elasticsearch {
    ssl_certificate_verification => false
    cacert => '/etc/logstash/elastic-stack-ca.crt'
    password => "{{pass}}"
    user => "elastic"
    hosts => ["https://{{ip_address}}:{{port_number_2}}" ,"https://{{ip_address}}:{{port_number_2}}" ,"https://{{ip_address}}:{{port_number_2}}" ]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

warkolm · September 6, 2022, 8:46am

What Beat(s)? And how are they configured?

They should be pretty smart in picking up the system TZ and adjusting, but it pays to check.

cheshirecat · September 6, 2022, 8:49am

Beats that I use are:

metricbeat
filebeat
auditbeat
heartbeat

system · October 4, 2022, 8:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash => ES, Timezone and IndexName Logstash	4	2684	August 22, 2017
Elasticserach change TimeZone Elasticsearch	5	6567	December 2, 2020
Different Timezones in syslog for some hosts Logstash	1	242	June 23, 2022
Change existing timezone Logstash	3	270	August 10, 2018
How to specify timezone on elasticsearch? Elasticsearch	7	18051	January 23, 2021

TImezone in Elasticsearch logs

Related topics