Filebeat to Logstash timezone issue

Question

Using Filebeat, and Logstash 7.9. Customer logfiles have timestamps in local timezone. Want to let Logstash know in which timezone filebeat lives. Am able to do that via adding:

processors:
  - add_locale:
      format: abbreviation

in filebeat.yml, and in logstash filter using the event.timezone via:

    grok {
          match => { "message" => "%{DATESTAMP:logdate} %{GREEDYDATA:jsonmess}"}
    }
    date {
      match => ["logdate", "yy-MM-dd HH:mm:ss,SSS"]
      timezone => "{{ event.timezone }}"
    }

Problem is that filebeat options for the timezone format are "offset" and "abbrevation", but logstash expects only "canonical id's" ! How can i make this work ?

score 1 · Accepted Answer · answered Sep 23 '20 at 14:25

You can use the offset in the timezone option in the Logstash date filter.

For example, the following config will work without problems.

date {
    match => ["logdate", "yy-MM-dd HH:mm:ss,SSS"]
    timezone => "-03:00"
}

Also, the way you are referencing the event.timezone field is wrong, you should use %{[event][timezone} and not {{ event.timezone }}

Try to change your config to

date {
    match => ["logdate", "yy-MM-dd HH:mm:ss,SSS"]
    timezone => "%{[event][timezone]}"
}

Filebeat to Logstash timezone issue

1 Answers1