The threat.conf settings change the @timestamp field to be equivalent to the Generated Time of the NGFW. This works perfectly if the NGFW clock is set to GMT. However, if they are set to a different TZ, it looks like the time gets skewed in the visualizations and can mess up exactly when something occurred.
Need to look at timestamp field not being correlated with the Generated time from the log event, but rather allow it to default as to when the log message was received by logstash. This should fix the skew.
The threat.conf settings change the @timestamp field to be equivalent to the Generated Time of the NGFW. This works perfectly if the NGFW clock is set to GMT. However, if they are set to a different TZ, it looks like the time gets skewed in the visualizations and can mess up exactly when something occurred.
Need to look at timestamp field not being correlated with the Generated time from the log event, but rather allow it to default as to when the log message was received by logstash. This should fix the skew.