When searching all messages, the result doesn't include messages that come into Graylog with a timestamp that may be in the future. Graylog server time set to UTC-4, message comes in with time timestamp of UTC. Those messages will not appear in a relative time (last 5 minutes) search for 4 hours. At that point they are 4 hours old and and not < 5 minutes.
Expected Behavior
If I search all messages, it should return all messages regardless of timestamps being past, present, or future.
Current Behavior
Selecting all messages and doing a query for a log message that came in from a device with a UTC timestamp, returns no results. However, if I select an absolute time and put the current time in UTC, the messages are returned. Switching back to a relative time and selecting any other option (last 5 minutes or all messages) returns no results.
Possible Solution
1) change "all messages" label listing in relative search to "older messages"
2) have "all messages" disregard the timestamp when searching
3) If Graylog knows when the log was received, perhaps permit a search based on when the log was received and not based on the timestamp of the log itself.
4) add "future messages" that will search for messages that have a timestamp that is beyond the current system time. This could potentially help identified misconfigured clients as well.
Steps to Reproduce (for bugs)
1) Configure a client to send logs with a timestamp in a timezone that is ahead of the graylog server
Graylog server time zone -> UTC-4
Client generating syslog -> UTC
2) generate logs and send to graylog
3) search for logs as detailed above.
Context
This issue has caused issues identifying and correlating log files. It's also cost time troubleshooting what appeared to be logs not coming into Graylog, when in fact they were being sent by the client and received by Graylog, but practically unsearchable through the interface. I'm still not sure how it is affecting the metrics that are represented by the charts and graphs. Are they affected by this? Is my current ingest rate accuracy delayed 4 hours because Graylog is not counting these messages? Does this affect how I retrieve logs in the future? When I do a search for logs the next day, are all the logs returned?
Your Environment
I have a single graylog server with a single, separate, elasticsearch node. running on CentOS 7
Graylog Version:
2.4.6+ceaa7e4
Elasticsearch Version:
5.6.9
MongoDB Version:
3.6.4
Operating System:
CentOS Linux release 7.5.1804 (Core)
jalogisch
commented
6 years ago
When searching all messages, the result doesn't include messages that come into Graylog with a timestamp that may be in the future. Graylog server time set to UTC-4, message comes in with time timestamp of UTC. Those messages will not appear in a relative time (last 5 minutes) search for 4 hours. At that point they are 4 hours old and and not < 5 minutes.
Expected Behavior
If I search all messages, it should return all messages regardless of timestamps being past, present, or future.
Current Behavior
Selecting all messages and doing a query for a log message that came in from a device with a UTC timestamp, returns no results. However, if I select an absolute time and put the current time in UTC, the messages are returned. Switching back to a relative time and selecting any other option (last 5 minutes or all messages) returns no results.
Possible Solution
1) change "all messages" label listing in relative search to "older messages" 2) have "all messages" disregard the timestamp when searching 3) If Graylog knows when the log was received, perhaps permit a search based on when the log was received and not based on the timestamp of the log itself. 4) add "future messages" that will search for messages that have a timestamp that is beyond the current system time. This could potentially help identified misconfigured clients as well.
Steps to Reproduce (for bugs)
1) Configure a client to send logs with a timestamp in a timezone that is ahead of the graylog server Graylog server time zone -> UTC-4 Client generating syslog -> UTC 2) generate logs and send to graylog 3) search for logs as detailed above.
Context
This issue has caused issues identifying and correlating log files. It's also cost time troubleshooting what appeared to be logs not coming into Graylog, when in fact they were being sent by the client and received by Graylog, but practically unsearchable through the interface. I'm still not sure how it is affecting the metrics that are represented by the charts and graphs. Are they affected by this? Is my current ingest rate accuracy delayed 4 hours because Graylog is not counting these messages? Does this affect how I retrieve logs in the future? When I do a search for logs the next day, are all the logs returned?
Your Environment
I have a single graylog server with a single, separate, elasticsearch node. running on CentOS 7
Graylog Version: 2.4.6+ceaa7e4
Elasticsearch Version: 5.6.9
MongoDB Version: 3.6.4
Operating System: CentOS Linux release 7.5.1804 (Core)
Browser version: Firefox - 60.1.0esr 64bit