timestamp +5 hours logstash

Question

I am using logstash to send syslog data to elasticsearch. Everything is working fine except the logstash agent is sending data with the timestamp +5 hours.

Here is my config:

input {
  file {
    type => "syslog"
    # modify to path to suit your local syslog configuration.   
    # The below will recursively grab all files in /var/log/rsyslog that end in .log
    path => ["/var/log/syslog", '/var/log/auth.log', '/var/log/faillog', '/var/log/mail.log', '/var/log/postgresql/postgresql-9.1-main.log']
    # comment out below after logstash has slurped in all of your existing logs otherwise
    # you risk it double indexing if you lose your sincedb file.
    #start_position => "beginning"
  }

  file {
    type => "jbosslog"
    path => [ "/data/jboss-4.2.3.GA/server/bla/log/server.log" ]
  }


}

output { 
  redis { 
    # change below to the hostname or ip address of your redis server.  can add more than one redis host.
    host => [ "192.168.117.39" ] 
    data_type => 'list' 
    key => 'logstash'
    batch => true
  }
  stdout { }
}

The stdout for a log looks like:

2013-03-06T17:03:56.934Z file://bla/var/log/postgresql/postgresql-9.1-main.log: 2013-03-06 12:03:56 EST LOG:  archive command failed with exit code 12

Answer 1

The timestamp you gave in your example appears to be correct. It was about 18 minutes before you posted this question.

It appears your server (I presume you have a good reason, but you might not) is configured with a timezone of US/Eastern or something similar. But logstash logs everything with UTC time, to prevent a wide variety of problems that occur when storing and processing local time.