0
votes

I've configured ELK server with filebeat on client. The configuration seems ok but when i search for my log with kibana every syslog entry are refferenced in year 2000 like this :

{
  "_index": "filebeat-2000.02.09",
  "_type": "syslog",
  "_id": "AVLGZIPtL5gIGucGObzD",
  "_score": null,
  "_source": {
    "message": "Feb  9 15:54:01 dev postfix/qmgr[1164]: 7DF9D1803D0: removed",
    "@version": "1",
    "@timestamp": "2000-02-09T14:54:01.000Z",
    "beat": {
      "hostname": "dev",
      "name": "dev"
    },
    "count": 1,
    "fields": null,
    "input_type": "log",
    "offset": 156454,
    "source": "/var/log/syslog",
    "type": "syslog",
.....

when i looked into my /var/log/syslog file I have this kind of line :

Feb  9 16:36:01 dev postfix/qmgr[1164]: 51F48180484: from=<root@dev>, size=1838, nrcpt=1 (queue active)
Feb  9 16:36:01 dev postfix/local[2884]: 51F48180484: to=<root@dev>, orig_to=<root>, relay=local, delay=0.07, delays=0.05/0/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)

There's no year in the line start.

My question is, how to add the year or change the timestamp ? I use Debian 8.2 Thanks

1
I've seen this post but if i reset th log of a client started since more than one year it will not work, i'm looking for change the syslog file to keep same data on elk and serverC.Rouillon

1 Answers

1
votes

You could change the syslog setting $ActionFileDefaultTemplate from default RSYSLOG_TraditionalFileFormat to RSYSLOG_FileFormat which has timestamp in TIMESTAMP_ISO8601 format.

Edit the /etc/rsyslog.conf file.

#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate RSYSLOG_FileFormat

Then restart rsyslogd daemon.

systemctl restart rsyslog

So the log format will be similar to this:

2016-02-07T03:47:14.300009+01:00 foo rhsmd: This system is registered to RHN Classic.