Timestamp Issue

[rlin...@networkconfig.net]

Dear Team,

The alert has been generated at Sep 17 11:27:18 but it shown field @timestamp September 17th 2018, 12:27:13.819 . How can i change the @timestamp time as it should be 11:27:18

full_log         Sep 17 11:27:18 754170-Node09 sudo: adidas : TTY=pts/0 ; PWD=/home/adidas ; USER=root ; COMMAND=/usr/bin/sudo

Regards,

rlinux57

[Jesus Linares]

Hi rlinux57,

We index the alerts by the time they are generated in Wazuh. In this way, we have a standard date for every alert, regardless of the timezone or possible errors in the timestamp of the event. 

For instance, since syslog doesn't add the timezone to the event, if you have servers in different locations, you would have problems to find your alerts in Kibana.

Anyway, you can choose the timestamp field in the Logstash configuration: https://github.com/wazuh/wazuh/blob/master/extensions/logstash/01-wazuh-remote.conf#L32.

Regards,

Jesus Linares.

[rlin...@networkconfig.net]

Hi Jesus,

Actually both server and client nodes have same location but my location is different. And kibana shows @timestamp with respect to my location not server/client. I want kibana to show the same timestamp as my server/client time.

Regards,

rlinux57

[Juanjo Jiménez]

Hello rlinux57,

To change the timezone that Kibana uses to show the timestamp, you can go to the left side nav, open Management > Advanced settings and search for “timezone”. This will show the dateFormat:tz setting, where you can choose your desired timezone to match your Wazuh instance. Click on the Save button to apply your changes.

This should be enough to change the timestamp field on your Kibana instance to match your Wazuh alerts. Let us know if you have more questions.

Regards,
Juanjo

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3e940177-e0ed-4563-8f28-8297ac51168d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[rlin...@networkconfig.net]

Hi again,

I did it before and restart both kibana and wazuh-manager nothing will be change that's why I opened the ticket.

Regards,

rlinux57

[Jesus Linares]

Hi rlinux57,

I misunderstood your question. Juanjo is right, Kibana converts the timestamp to your time zone (see the attached image).

Regards,

[rlin...@networkconfig.net]

Hi Jesus,

I do it but it doesn't change timestamp, even I have restarted kibana and wazuh-manager as well.

Regards,

rlinux57

[Jesus Linares]

Hi rlinux57,

Can you share a screenshot?.

Thanks.

[rlin...@networkconfig.net]

Hi,

Please find attached screenshot.

Regards,
rlinux57

[rlin...@networkconfig.net]

Hi again,

Issue is resolved, Actually it was coming from cache. I have refresh the cache, now it's show exact time.

Regards,
rlinux57

[Jesus Linares]

Thanks for the feedback.

I'm glad to help.