I have been testing the ELK-Stack recently. The ELK-Stack runs on a standalone server (elk-host01)
After setting everything up, I have installed the elastic-agent on another server (srv-docker01). The logs are sent by filebeats to elasticsearch and I can see them in Kibana. So, this is working so far.
But the logs are saved with a timestamp from the current year (2023), even if they were from 2022 or older. This seems to be caused by the missing year in the original log files.
// original entry from /var/log/auth.log Jan 2 11:52:51 v2202002114686109779 sshd: Failed password for invalid use r dcmadmin from 220.127.116.11 port 43680 ssh2
I have seen some approaches for syslog (rsyslog and ng-syslog), but this would only apply for future log events.Any idea how to handle this issue for the existing logs that are already in the index?