How to add timezone to timestamp in unixtime

Question

I want to know whether it is possible for the parser to add a timezone when the log timestamp is in Unix time.

I tried the following code, but when logtime is in Unix time, it results in an error, and I confirmed that the current time is inserted as the timestamp instead.

---------------

date {
match => ["logtime", "yyyy-MM-dd HH:mm:ss"]
timezone => "America/New_York"
on_error => "no_match"

}

---------------

I also considered adding a numeric timezone offset to the Unix time before the date function, but it seems that the parser cannot perform arithmetic operations.

Is it technically possible to add a timezone to a Unix timestamp in the first place?

Best answer by Eoved

Hi,
What are you using to ingest those logs? If you’re using BindPlane, you have options for modifying log body timestamps.
References:

https://docs.bindplane.com/how-to-guides/modifying-log-body-timestamps
https://docs.bindplane.com/integrations/processors/parse-timestamp

Eoved · Accepted Answer

Hi,What are you using to ingest those logs? If you’re using BindPlane, you have options for modifying log body timestamps.References:https://docs.bindplane.com/how-to-guides/modifying-log-body-timestampshttps://docs.bindplane.com/integrations/processors/parse-timestamp

JeremyLand · Answer

The short version - It is not possible to apply an offset to a Unix formatted timestamp directly in the parser.

Recommendation:
The UNIX timestamp specification is in UTC time. If a device is sending “UNIX” but in a different time zone they aren’t actually sending you UNIX, they are sending events with a bad timestamp. I recommending having the admin for the offending system correct their system clocks/time zone config so you get correct timestamps. In addition to correcting the time zone on the source system, you will need to make a parser change to support UNIX format timestamps.

The parsing error you are receiving is likely because you haven't specified UNIX as a valid timestamp format for the date function, not because of an issue with the time zone application. Unix is a supported format but you do need to specify it like this: match => ["logtime", "yyyy-MM-dd HH:mm:ss", "UNIX"] to allow matching. This will resolve the error message on its own, but unless the source system is updated with the correct tz your event timestamps will be parsed assuming they are in UTC and will be off by 4 or 5 hours depending on daylight savings.

Note: The Date function gives precedence to the time zone identifier in a timestamp over the time zone function argument. In order for the time zone function to apply the time zone specified in the parser, the timestamp must not have a tz/offset identifier. The UNIX timestamp format has the implied UTC identifier and is not impacted by the time zone function argument.

Alternate Option:
If you are unable for get the issue corrected at the source and need to compensate for it during SecOps ingest then @Eovid‘s recommendation is the path.

The extra complexity you may face is that I don’t believe any of the timestamp processors will let you directly modify the time zone when reading from UNIX time. There may be an easier method but I believe following the ‘modify log body timestamps’ guide you will need to modify step 3 to write without the time zone identifier when converting back to a string. Then you can add additional processors to parse that string back to a timestamp object, using the ‘manual’ log time format (which will allow you to specify the time zone), then writing that timestamp with the corrected time zone back to a string and reassembling the log body.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded