Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Graylog2 didn't recognize the event date

Description

Graylog2 didn't recognize the event date, just using the date of receiving the event.
I'm using gelf output plugin to communicate with graylog2.
I'm parsing the timestamp fields with the date filter.

Sample:

Input:

Jan 22 06:25:40 graylog rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="996" x-info="http://www.rsyslog.com";] rsyslogd was HUPed, type 'lightweight'.

stdout:

"@timestamp" => "2012-01-22T05:25:40.000Z"

graylog2 event view:

From: graylog
Date: Sun Jan 22 06:25:41 +0100 2012
Severity: Info
Facility: syslog
File: /var/log/messages:105
MINUTE: 25
timestamp: Jan 22 06:25:40
logsource: graylog
SECOND: 40
gelflevel: 1
MONTH: Jan
TIME: 06:25:40
level: INFO
HOUR: 06
facility: syslog
program: rsyslogd
MONTHDAY: 22
SYSLOGBASE2: Jan 22 06:25:40 graylog rsyslogd:
SYSLOGPROG: rsyslogd
IPORHOST: graylog
message: [origin software="rsyslogd" swVersion="4.6.4" x-pid="996" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'lightweight'.
HOSTNAME: graylog
Full message:

Jan 22 06:25:40 graylog rsyslogd: [origin software="rsyslogd" swVersion="4.6.4" x-pid="996" x-info="http://www.rsyslog.com";] rsyslogd was HUPed, type 'lightweight'.

My idea:
the date filter sets the "@timestamp" field, but gelf output plugin uses "event.unix_timestamp" and I didn't find any line where logstash sets the unix_timestamp field (and convert the ISO formatted timestamp to unixtime).

Attachments

2

Gliffy Diagrams

Activity

Show:

John E. Vincent May 25, 2012 at 5:15 AM

The float change had already been made. I explicitly set the gelf gem version in Gemfile.

Thibault Desaules March 19, 2012 at 3:18 PM

Ok, after some research I found the problem, In the jar release, the gelf gem version is not good. It use the 1.1.3 not the last (1.3.2 here : https://github.com/Graylog2/gelf-rb)

After that, just made somes changes in logstash/outputs/gelf.rb :
[...]
m["timestamp"] = event.unix_timestamp.to_f
[...]
@gelf.notify!(m)
[...]

is that possible to make the changes in the next logstash version ?

Thibault Desaules February 27, 2012 at 11:36 AM

have you made somes changes on the code ? because I can't get the good timestamp in graylog2

Thibault Desaules February 27, 2012 at 10:10 AM

I make a test with the mutate filter but nothing change... I will send you a mail with all my conf

John E. Vincent February 26, 2012 at 5:25 AM

One thing to make sure of is the following:

  • Using JRuby
    There's currently an open bug with regards to usage on MRI. Logstash currently use JODA for datetime so it can affect some plugins that explicitly call 'event.unix_timestamp'

I'm currently testing with master.

I'm going to modify the code to at least send the timestamp in float since that's what the GELF spec says.
(timestamp: UNIX microsecond timestamp (decimal); SHOULD be set by client library.)

Thibault, can you provide me again with a few sample log lines and your current grok and date filters? I want to do some more testing closer to your setup.

Fixed

Details

Assignee

Reporter

Labels

Affects versions

Created January 22, 2012 at 3:19 PM
Updated April 19, 2013 at 8:19 PM
Resolved May 25, 2012 at 5:15 AM
Configure