Hi,
I have Raspberry Pi’s in different timezones writing logs to a Syslog server. The logs from the Syslog server are being collected by Elastic Agent and are correctly stored in the system.syslog Index
Logs look like:
Nov 30 08:05:01 PiMirror piinfo: gpu_temp=47.7;cpu_temp=48.1;model=4
Nov 30 08:45:21 PiMirror rngd[500]: stats: bits received from HRNG source: 220064
Nov 30 09:05:01 PiMirror piinfo: gpu_temp=50.1;cpu_temp=49.1;model=4
Question 1: How does Elastic Agent with the system integration determine the right timestamp and timezone? These are not in the original log. These are correctly ingested.
The reason I am asking: The Syslog Server splits specific events (piinfo) in the logs to a separate logfile. These logs are also collected by Elastic Agent, but via a Custom log integration to a separate index. With a special ingest pipeline with a KV processor to split the message in the right Kev Value pairs.
But here the timestamp is wrong (1 hour ahead) and the event.timezone empty.
Question 2: How can I get the right timestamp and timezone?
There is very little documentation on how to use the Custom log integration.