I am using logstash to send syslog data to elasticsearch. Everything is working fine except the logstash agent is sending data with the timestamp +5 hours.
Here is my config:
input {
file {
type => "syslog"
# modify to path to suit your local syslog configuration.
# The below will recursively grab all files in /var/log/rsyslog that end in .log
path => ["/var/log/syslog", '/var/log/auth.log', '/var/log/faillog', '/var/log/mail.log', '/var/log/postgresql/postgresql-9.1-main.log']
# comment out below after logstash has slurped in all of your existing logs otherwise
# you risk it double indexing if you lose your sincedb file.
#start_position => "beginning"
}
file {
type => "jbosslog"
path => [ "/data/jboss-4.2.3.GA/server/bla/log/server.log" ]
}
}
output {
redis {
# change below to the hostname or ip address of your redis server. can add more than one redis host.
host => [ "192.168.117.39" ]
data_type => 'list'
key => 'logstash'
batch => true
}
stdout { }
}
The stdout for a log looks like:
2013-03-06T17:03:56.934Z file://bla/var/log/postgresql/postgresql-9.1-main.log: 2013-03-06 12:03:56 EST LOG: archive command failed with exit code 12
Best Answer
The timestamp you gave in your example appears to be correct. It was about 18 minutes before you posted this question.
It appears your server (I presume you have a good reason, but you might not) is configured with a timezone of US/Eastern or something similar. But logstash logs everything with UTC time, to prevent a wide variety of problems that occur when storing and processing local time.