TImezone in Elasticsearch logs

cheshirecat · September 2, 2022, 10:27am

Hello There!
I see that my logs for Elasticsearch have different timezone that my server.
For my server I have got set timezone:

'pią' is shortcut for 'piątek' that means 'Friday' in Polish.
My logs however got UTC timezone:

September 2, 2022 10:15:25 AM
	
INFO
	
Server
	
successfully reloaded changed geoip database file [/tmp/elasticsearch-12446836234446054485/geoip-databases/CVsfpe93TZqMenYYAvjJvA/GeoLite2-City.mmdb]
	
o.e.i.g.DatabaseNodeService
	
node-1
September 2, 2022 10:15:19 AM
	
INFO
	
Server
	
successfully reloaded changed geoip database file [/tmp/elasticsearch-12446836234446054485/geoip-databases/CVsfpe93TZqMenYYAvjJvA/GeoLite2-Country.mmdb]
	
o.e.i.g.DatabaseNodeService
	
node-1

Print screen:

What can I do to have same timezone for all settings, logs and indicies in my cluster?

warkolm · September 6, 2022, 1:10am

Elasticsearch assumes that the timestamp that you are passing to it is in UTC, and has a TZ in there as needed.

I guess it comes down to how you process your events, and if you are taking this into account.

cheshirecat · September 6, 2022, 6:55am

Thank you @warkolm for a reply.
Am I able to change timestamp to my timezone? I can't find it in docs but I have found this post. It is seven years old so I don't know will it still work.

warkolm · September 6, 2022, 7:56am

How are you ingesting data?

cheshirecat · September 6, 2022, 8:08am

I hope this is an answer for your question - my logstash.conf file looks like this:

input {
  beats {
    port => {{port_number_1}}
    ssl_key => '/etc/logstash/es.key.pem'
    ssl_certificate => '/etc/logstash/es.crt.pem'
    ssl => true
    host => "{{ip_address}}"
  }
}

output {
  elasticsearch {
    ssl_certificate_verification => false
    cacert => '/etc/logstash/elastic-stack-ca.crt'
    password => "{{pass}}"
    user => "elastic"
    hosts => ["https://{{ip_address}}:{{port_number_2}}" ,"https://{{ip_address}}:{{port_number_2}}" ,"https://{{ip_address}}:{{port_number_2}}" ]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

warkolm · September 6, 2022, 8:46am

What Beat(s)? And how are they configured?

They should be pretty smart in picking up the system TZ and adjusting, but it pays to check.

cheshirecat · September 6, 2022, 8:49am

Beats that I use are:

metricbeat
filebeat
auditbeat
heartbeat

system · October 4, 2022, 8:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticserach change TimeZone Elasticsearch	5	6484	December 2, 2020
Different Timezones in syslog for some hosts Logstash	1	242	June 23, 2022
How to specify timezone on elasticsearch? Elasticsearch	7	17862	January 23, 2021
Timezone problem when output to Elasticsearch Logstash	11	1253	September 15, 2022
Log Timezone Question Logstash	13	4848	January 10, 2020

TImezone in Elasticsearch logs

Related Topics