Year is missing from original log file, log events are stored as current year

Hi there,

I have been testing the ELK-Stack recently. The ELK-Stack runs on a standalone server (elk-host01)

After setting everything up, I have installed the elastic-agent on another server (srv-docker01). The logs are sent by filebeats to elasticsearch and I can see them in Kibana. So, this is working so far.

But the logs are saved with a timestamp from the current year (2023), even if they were from 2022 or older. This seems to be caused by the missing year in the original log files.

// original entry from /var/log/auth.log
Jan  2 11:52:51 v2202002114686109779 sshd[7079]: Failed password for invalid use                                                      r dcmadmin from 106.10.122.53 port 43680 ssh2

I have seen some approaches for syslog (rsyslog and ng-syslog), but this would only apply for future log events.Any idea how to handle this issue for the existing logs that are already in the index?

Best regards.