Year is missing from original log file, log events are stored as current year

Hi there,

I have been testing the ELK-Stack recently. The ELK-Stack runs on a standalone server (elk-host01)

After setting everything up, I have installed the elastic-agent on another server (srv-docker01). The logs are sent by filebeats to elasticsearch and I can see them in Kibana. So, this is working so far.

But the logs are saved with a timestamp from the current year (2023), even if they were from 2022 or older. This seems to be caused by the missing year in the original log files.

// original entry from /var/log/auth.log
Jan  2 11:52:51 v2202002114686109779 sshd[7079]: Failed password for invalid use                                                      r dcmadmin from port 43680 ssh2

I have seen some approaches for syslog (rsyslog and ng-syslog), but this would only apply for future log events.Any idea how to handle this issue for the existing logs that are already in the index?

Best regards.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.