Timestamp is Ingest Time
2 views
Skip to first unread message
RusFM
5:36 PM (4 hours ago) 5:36 PM
to Wazuh | Mailing List
Wazuh Community,
When issues occur on the server (e.g. high watermark) and logs stop being ingested, but are ingested later, the timestamp in OpenSearch is the ingest time, not the alert time.
Example from /var/ossec/logs/alerts/alerts.log (the JSON is reformatted for readability)-
** Alert 1766431725.176018647: - hmailserver,
2025 Dec 22 14:28:45 wazuh->/var/log/mail.json
Rule: 540231 (level 3) -> 'Sending Email'
Src IP: 192.168.0.17
Dst IP: 192.168.0.17
{
"action": "Send",
"dsthostname": "mail.thedomain.local",
"dstip": "192.168.0.17",
"extra_data": "sys...@thedomain.com > alert...@somewhere.com",
"id": "2409118",
"message": "SMTPDeliverer - Message 2409118: Delivering message from sys...@thedomain.com to alert...@somewhere.com. File: C:\\Program Files (x86)\\hMailServer\\Data\\{B4596D57-188A-4866-81F0-21877E57986D}.eml",
"srchostname": "mail.thedomain.local",
"srcip": "192.168.0.17",
"timestamp": "2025-12-22T05:17:23.698Z",
"type": "hmailserver",
"url": "C:\\Program Files (x86)\\hMailServer\\Data\\{B4596D57-188A-4866-81F0-21877E57986D}.eml"
}
message: SMTPDeliverer - Message 2409118: Delivering message from sys...@thedomain.com to alert...@somewhere.com. File: C:\Program Files (x86)\hMailServer\Data\{B4596D57-188A-4866-81F0-21877E57986D}.eml
type: hmailserver
srchostname: mail.thedomain.local
timestamp: 2025-12-22T05:17:23.698Z
dsthostname: mail.thedomain.local
2025 Dec 22 14:28:45 wazuh->/var/log/mail.json
Rule: 540231 (level 3) -> 'Sending Email'
Src IP: 192.168.0.17
Dst IP: 192.168.0.17
{
"action": "Send",
"dsthostname": "mail.thedomain.local",
"dstip": "192.168.0.17",
"extra_data": "sys...@thedomain.com > alert...@somewhere.com",
"id": "2409118",
"message": "SMTPDeliverer - Message 2409118: Delivering message from sys...@thedomain.com to alert...@somewhere.com. File: C:\\Program Files (x86)\\hMailServer\\Data\\{B4596D57-188A-4866-81F0-21877E57986D}.eml",
"srchostname": "mail.thedomain.local",
"srcip": "192.168.0.17",
"timestamp": "2025-12-22T05:17:23.698Z",
"type": "hmailserver",
"url": "C:\\Program Files (x86)\\hMailServer\\Data\\{B4596D57-188A-4866-81F0-21877E57986D}.eml"
}
message: SMTPDeliverer - Message 2409118: Delivering message from sys...@thedomain.com to alert...@somewhere.com. File: C:\Program Files (x86)\hMailServer\Data\{B4596D57-188A-4866-81F0-21877E57986D}.eml
type: hmailserver
srchostname: mail.thedomain.local
timestamp: 2025-12-22T05:17:23.698Z
dsthostname: mail.thedomain.local
The JSON has the actual log with the timestamp and is parsed correctly into the timestamp field (2025-12-22T05:17:23.698Z). But the top of the alert and in OpenSearch the timestamp is the ingest time (2025 Dec 22 14:28:45).
How can I fix this?
Thanks,
Rus
Reply all
Reply to author
Forward
0 new messages