Timezone in UTC causes wrong filename

i have a logserver with logstash only. no elasticsearch nor kibana.

all other servers are using filebeat to send log to the logserver.

logstash writes to /var/log/logstash/appname.txt.%{+YYYY-MM-dd} after some processing is done (filters).

the problem is that my timezone is -3 (brazil) but the filenames are in UTC.

how can i make sure the logs are writen in the correct file?

output {
    file {
        codec => line { format => '%{@timestamp} %{message}'}
        path  => '/var/log/logstash/debug.txt.%{+YYYY-MM-dd}'
    }
}

Have you searched?

And many more...

To do this using the @timestamp field is not possible, you will need to use a ruby filter to create auxiliary fields with the values that you want in the output, one field should have the pattern YYYY-MM-dd in your timezone, and the other field should have the @timestamp converted to your timezone.

Using one of the examples that @AClerk shared, you will need something like this.

filter {
    # this ruby filter sets the field [@metadata][index] as YYYY-MM-dd in your timezone
    ruby {
        code => "event.set('[@metadata][index]', event.get('[@timestamp]').time.localtime.strftime('%Y-%m-%d'))"
    }
    # this ruby filter sets the field [@metadata][timestamp] as YYYY-mm-dd HH:MM:ss.SSS
    ruby {
        code => "event.set('[@metadata][timestamp]', event.get('[@timestamp]').time.localtime.strftime('%Y-%m-%d %H:%M:%S.%L'))"
    }
    
}
output {
    file {
        codec => line { format => '%{[@metadata][timestamp]} %{message}'}
        path => "/var/log/logstash/debug.txt.%{[@metadata][index]}"
    }
}

This way you will create two auxiliary fields with the values you need in your timezone, the @timestamp field is always in UTC.

perfect. thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.