Syslog RFC 3164 messages use the year of the Graylog server's Operating System Timezone instead of the inputs configured timezone #21472
Description
Syslog RFC 3164 messages use the year of the Graylog server's Operating System Timezone instead of the inputs configured timezone.
Unfortunately, Syslog RFC 3164 does not include a year so the Graylog-server must add the year to the date/time parsing. However, even though the Syslog Input (Syslog UDP via Graylog Forwarder) is configured to use my local timezone (America/New_York), both my Graylog Forwarder and Graylog[-server] servers have their operating system timezone set to UTC+0000
This appears to have caused syslog messages received from 00:00-04:59 UTC to have their date set 1 year into the future:
I can confirm that both the syslog input AND the source device(s) sending Syslog RFC 3164 all have the same timezone configured (America/New_York)
A sample syslog message:
<134>Jan 28 10:46:06 pfsense-haproxy haproxy[64265]: 192.168.0.106:43206 [28/Jan/2025:10:46:06.051] mariadb mariadb_ipvANY/mariadb2 1/0/10 196 -- 4/1/0/0/0 0/
Expected Behavior
Date and time of log messages is set correctly
Current Behavior
Graylog appears to be using the timezone of the server (unclear if this is the Forwarder server or the Graylog server) to add the year, which would have rolled over to 2025 at 7p EST causing 5 hours of logs to have their year set 1 year into the future.
Possible Solution
Steps to Reproduce (for bugs)
Context
Found this by accident because graylog seemed to incorrectly tell me my search had available search results located in data warehouse. Double checking data warehouse revealed messages 1 year into the future.
Your Environment
- Graylog Version: 6.1
- Java Version: bundled
- OpenSearch Version: 2.15.0
- MongoDB Version: 7.0.16
- Operating System: Ubuntu Server 22.04 LTS
- Browser version: Google Chrome Version 131.0.6778.267 (Official Build) (arm64)
Please let me know if there are any questions!