Today when I created a rule in SIEM the "last run" field showed "in 3 hours". after some digging, I found that the clock in the ELK machine(single node cluster, centos 7) was behind. I correct it using ntp and now when i use timedatectl command it shows the correct time (same as my browser) but it didn't fix my ELK problem. If I query a document that was created seconds ago the timestamp is 3 hours behind. same problem in the discover tab. should I restart my machine?
-elk version: 7.8
Maybe you see UTC time zone?
Are you located in UTC+3?
Yes, that's correct. the timestamps are based on UTC and the browser automatically adds the timezone but somehow instead of +3 hours, kibana showed +6 hours.
after I restart the elk machine the problem got solved.