MartijnvdB
commented
7 years ago I second this request. We send the output of this module to a monitoring system which displays the alert in GMT, which is two hours from the actual alert occurence.
Open Shaoranlaos opened 7 years ago
MartijnvdB
commented
7 years ago I second this request. We send the output of this module to a monitoring system which displays the alert in GMT, which is two hours from the actual alert occurence.
pznamensky
commented
6 years ago +1
Foxeronie
commented
6 years ago +1, same problem like MartijnvdB
some output is send to ossec and in the logs you can see -2 hours difference between the actual timestamp and the received timestamp
Foxeronie
commented
6 years ago A small workaround. In Ubuntu I edited the file
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb
and added the following lines:
[...]
if @is_rfc3164
timestamp = event.sprintf("%{+MMM dd HH:mm:ss}")
# Add offset of two hours
timestamp_new = DateTime.parse(timestamp)
timestamp_new = timestamp_new.new_offset('+02:00')
timestamp = timestamp_new.strftime('%h %e %H:%M:%S')The timestamp has now an offset of +2 hours. You need to restart logstash.
It should be possible to define a field from which to read the timestamp to use in the syslog message like it is now possible for all other fields in a syslog message. e.g.
This would help with some problems that come with the inability of a syslog server to understand timezones.