Alert timestamps and email notifications always use UTC (+0000) despite local timezone configuration (Docker 4.12.0, Europe/Istanbul)

5 views

Skip to first unread message

Çınar

unread,

Nov 28, 2025, 9:58:49 AM (3 days ago) Nov 28

to Wazuh | Mailing List

Wazuh version

4.12.0

Component

Wazuh manager

Install type

Manager

Install method

Docker Compose (wazuh-docker single-node)

Platform

Linux (systemd, Europe/Istanbul TZ)

Ubuntu Server 24.04 LTS

Alert timestamps in alerts.json and email notifications always use UTC (+0000), even though the host, container, and Wazuh manager timezone configuration are all set to Europe/Istanbul (UTC+3) and show the correct local time.

This results in a consistent 3-hour difference between:

• The time shown in Wazuh alerts / email notifications (UTC),

• The local time shown on the systems and in Windows Event Viewer (Europe/Istanbul, UTC+3).

The timezone configuration appears to be correct, but the alert timestamp field is still written in UTC.

Environment

• Wazuh 4.12.0

• Official wazuh-docker single-node deployment (wazuh.manager, wazuh.indexer, wazuh.dashboard, smtp-relay)

• Host: Linux with systemd and timedatectl

• Timezone: Europe/Istanbul (UTC+3)

Host time configuration:

timedatectl

Local time: Fri 2025-11-28 14:26:18 +03

Universal time: Fri 2025-11-28 11:26:18 UTC

Time zone: Europe/Istanbul (+03, +0300)

System clock synchronized: yes

NTP service: active

ls -l /etc/localtime

/etc/localtime -> /usr/share/zoneinfo/Europe/Istanbul

file /etc/localtime

/etc/localtime: symbolic link to /usr/share/zoneinfo/Europe/Istanbul

Docker Compose configuration (wazuh.manager)

Relevant part of docker-compose.yml:

services:

wazuh.manager:

image: wazuh/wazuh-manager:4.12.0

hostname: wazuh.manager

restart: always

networks:

- wazuh-network

ports:

- "1514:1514"

- "1515:1515"

- "514:514/udp"

- "55000:55000"

environment:

- INDEXER_URL=https://wazuh.indexer:9200

- INDEXER_USERNAME=admin

- INDEXER_PASSWORD=

- FILEBEAT_SSL_VERIFICATION_MODE=full

- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem

- SSL_CERTIFICATE=/etc/ssl/filebeat.pem

- SSL_KEY=/etc/ssl/filebeat.key

- API_USERNAME=wazuh-wui

- API_PASSWORD=

- TZ=Europe/Istanbul

volumes:

- wazuh_api_configuration:/var/ossec/api/configuration

- wazuh_etc:/var/ossec/etc

- wazuh_logs:/var/ossec/logs

- wazuh_queue:/var/ossec/queue

- wazuh_var_multigroups:/var/ossec/var/multigroups

- wazuh_integrations:/var/ossec/integrations

- wazuh_active_response:/var/ossec/active-response/bin

- wazuh_agentless:/var/ossec/agentless

- wazuh_wodles:/var/ossec/wodles

- filebeat_etc:/etc/filebeat

- filebeat_var:/var/lib/filebeat

- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem

- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem

- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key

- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

- /etc/localtime:/etc/localtime:ro

- /etc/localtime:/var/ossec/etc/localtime:ro

What I see inside the manager container

Manager container time:

docker exec -it single-node-wazuh.manager-1 date

Fri Nov 28 14:28:19 +03 2025

Localtime files inside the container:

docker exec -it single-node-wazuh.manager-1 ls -l /etc/localtime /var/ossec/etc/localtime

-rw-r--r-- 1 root root 1947 Apr 22 2025 /etc/localtime

-rw-r--r-- 1 root root 1947 Apr 22 2025 /var/ossec/etc/localtime

So:

• Host is on Europe/Istanbul (+03),

• Manager container shows correct local time (+03),

• /etc/localtime and /var/ossec/etc/localtime inside the container are identical and mapped from the host timezone.

Problem details

Despite the above timezone configuration, all alert timestamps in alerts.json are written with +0000 (UTC).

At the same time:

• Host local time: 2025-11-28 14:28 (+03)

• Manager container local time: 2025-11-28 14:28 (+03)

• Windows event systemTime: 2025-11-28T11:29:16.6599982Z (UTC)

• Wazuh alert timestamp: 2025-11-28T11:28:19.832+0000 (UTC)

So the alert timestamp is always stored/emitted as UTC, not as local time, even when the manager’s local time and timezone configuration are correct.

This causes a consistent 3-hour offset between:

• The time in Wazuh alerts and email notifications (UTC), and

• The time that operators see locally on the systems and in Windows Event Viewer (Europe/Istanbul, UTC+3).

Actual behavior

• Alert timestamps in alerts.json always use UTC (+0000), even when:

• Host and container timezones are set to Europe/Istanbul,

• /var/ossec/etc/localtime is correctly mapped from the host timezone.

• Email notifications based on these alerts therefore also show UTC times, which are 3 hours behind local time in Europe/Istanbul.

Questions

1. Is it expected behavior in Wazuh 4.12.0 that alert timestamp values (and email notification times derived from them) always use UTC (+0000), regardless of the local timezone configuration?

2. If this is not expected, is this a known bug or regression in 4.12.0 and/or in the Docker deployment?

3. If it is by design, what is the recommended / supported way to:

• Configure Wazuh so alert timestamps can use the local timezone, or

• Transform these timestamps on the Wazuh side so that email notifications show local time for operators?

I can provide additional logs, full docker-compose.yml, or run with increased debug level if needed.

Reply all

Reply to author

Forward

0 new messages