I am using the plugin to forward a Windows Event (collected via NXLog) to an external system in snare format.
By analysing the raw message, it looks like that the syslog output in Snare format adds a new timestamp that differs from the one in the original Graylog message.
More specifically, each Graylog message includes a timestamp field with the correct event time. The message that is forwarded by the syslog output has a different timestamp (usually, a few seconds in the future due to processing time).
Is it possible to avoid this behaviour and have the output plugin use the original timestamp from the timestamp field?
I am using Graylog 3.3.14 with the plugin release 3.3.2.
mrcdb
commented
2 years ago
Hi,
I am using the plugin to forward a Windows Event (collected via NXLog) to an external system in snare format. By analysing the raw message, it looks like that the syslog output in Snare format adds a new timestamp that differs from the one in the original Graylog message.
More specifically, each Graylog message includes a
timestampfield with the correct event time. The message that is forwarded by the syslog output has a different timestamp (usually, a few seconds in the future due to processing time).Is it possible to avoid this behaviour and have the output plugin use the original timestamp from the
timestampfield? I am using Graylog3.3.14with the plugin release3.3.2.Thanks.