Clarification on Pre-decoded Time vs Timestamp in Events
32 views
Skip to first unread message
Chandra pal singh Chauhan
May 6, 2026, 7:49:26 AM (4 days ago) May 6
to Wazuh | Mailing List
Hello Team,
Hope you are doing well.
I have one question regarding events. There are two time fields: one is pre-decoded time and the other is timestamp. Could you please provide some insight into the difference between these two?
Regards,
Chandra
Md. Nazmur Sakib
May 6, 2026, 8:38:37 AM (4 days ago) May 6
to Wazuh | Mailing List
Hi Chandra,
@timestamp is when your Wazuh manager receives the data added by the Wazuh manager. I believe it is showing the time in your local time or the time you have configured in your Wazuh Dashboard.
On the other hand, the predecoded.timestamp is the timestamp your raw log contains and decoded by the pre-decoder.
I am sharing some screenshots for your reference:
We often see that the agent OS logs events in UTC, and the Wazuh Dashboard time is configured in Browser time. So it shows a difference between the two values.
Let me know if you need any further information on this.
@timestamp is when your Wazuh manager receives the data added by the Wazuh manager. I believe it is showing the time in your local time or the time you have configured in your Wazuh Dashboard.
On the other hand, the predecoded.timestamp is the timestamp your raw log contains and decoded by the pre-decoder.
I am sharing some screenshots for your reference:
We often see that the agent OS logs events in UTC, and the Wazuh Dashboard time is configured in Browser time. So it shows a difference between the two values.
Let me know if you need any further information on this.
Chandra pal singh Chauhan
May 6, 2026, 9:40:12 AM (4 days ago) May 6
to Wazuh | Mailing List
Hello Nazmur,
so you say that the time difference is due to a mismatch in time standards—UTC (default time for the agent) and IST (used by the Wazuh manager)?
Is there a possibility to align the time settings so that the raw logs are also recorded in IST on the manager side? The current time difference is creating confusion during event analysis.
Please let me know if this can be adjusted.
Regards,Chandra
Md. Nazmur Sakib
May 7, 2026, 1:49:03 AM (3 days ago) May 7
to Wazuh | Mailing List
The Wazuh manager, do not manipulate the raw log. To change the raw log’s timestamp in IST, you need to make changes at the source where the logs are generated. You need to configure your agent's OS to record those logs in IST instead of UTC. You can check the location field in the alerts detail to find out from where this log is collected. Once you configure the time on the source as IST time, you will be able to see the Raw logs in IST and as well as the predecoder.timestamp field.
The Wazuh manager will show the raw logs exactly how your endpoint generates them.
The Wazuh manager will show the raw logs exactly how your endpoint generates them.
Chandra pal singh Chauhan
May 7, 2026, 6:31:46 AM (3 days ago) May 7
to Wazuh | Mailing List
Hello
Nazmur
Thanks for clerification.
Reply all
Reply to author
Forward
0 new messages