I'm using nxlog to parse a json file and transfer it to Graylog. When it transfer to Graylog the format of a timestamp is changed.

How can i prevent nxlog to change the timestamp format ?

Thanks in advance

AskedSeptember 13, 2016 - 5:53pm

Comments (4)

  • b0ti's picture

    Can you be more specific?

    strftime() can be used to create a custom format. The GELF format uses an integer value to transfer the timestamp which is then converted by Graylog to the human readable form when it is displayed.

  • Johan THOMAS's picture

    Thanks for your response

    i dont think the graylog server has something to do in this problem because when i do a tcpdump on the server that sends the logs (so before graylog receive it) i see that the timestamp is like that: "_httpd_timestamp2":"2016-09-14.09:10:20",

    And in the JSON log file it's like that: "httpd_timestamp2": "2016-09-14T09:10:20.012+0200",

    My nxlog.conf is very simple :


    <Input in1>
    Module im_file
    File '/var/log/httpd/access.log'
    SavePos TRUE
    ReadFromLast TRUE
    Exec parse_json();

    <Output out1>
    Module om_tcp
    Host xx.xx.xx.xx
    Port 12201
    OutputType GELF_TCP


    Any ideas ? thanks a lot !

  • b0ti's picture

    The json parser automatically detects datetime and converts it to an epoch value. When the JSON is generated the local time is used for datetime types (i.e. you get 2016-09-14.09:10:20).

    Here is what you can try.

    1. EventTime is treated and transferred specially in GELF, so you could do this:

    Exec rename_field('httpd_timestamp2', 'EventTime');

    2.  Reformat it with:

    Exec $httpd_timestamp2 = strftime($httpd_timestamp2, "%Y-%m-%dT%H:%M:%SZ");

    3. Capture it with a regexp:

    Exec if $raw_event =~ /\"httpd_timestamp2\": \"(.+)\"/ $httpd_timestamp2 = $1;

    The regexp here is untested.

    4. The NXLog Enterprise Edition supports a DateFormat configuration option for xm_json that can be used to specify the format in the generated JSON for the datetime types. This feature will be available in the NXLog Community Edition in the next major release.



Answer (1)

You could try changing the timestamp on your Graylog server

NTP Server

and verify it's on the same zone of your nxlog server.

After you must reconfigure your Graylog.

If you have many servers you must do that on all of them

I hope it helps

Comments (1)