topic Re: How to set the time zone/alias for syslog data in Getting Data In

How to set the time zone/alias for syslog data

AhmadKhattak20 — Mon, 17 May 2021 11:44:42 GMT

Hi There,

So, the scenario is that we have a central syslog server which receives syslog messages from different servers in the organization.

When the syslog data is received on the syslog server, there is a universal forwarder agent on the syslog server that forwards it to Splunk. The issue is that some servers are using UTC time zone and therefore the syslog data from those servers contains UTC Timestamp.

Is there a way to change how the forwarder interprets the syslog data file received from those servers? I've tried editing TZ=UTC and TZ-ALIAS=UTC in props.conf with the source stanza specifying the path for those specific log files that have UTC Timestamp in events. However in Splunk I still see those events with the UTC Time Stamp.

This is an issue due to which we can't properly search. Any advice would be much appreciated. Thanks.

Re: How to set the time zone/alias for syslog data

javiergn — Mon, 17 May 2021 11:53:33 GMT

Hi,

You can use the source:: and host:: stanzas within props.conf in order to edit the time zone for specific filepaths or host names. I normally use the source as it is unique to this particular type of data (Syslog) as opposed to the host. For instance:

[source::/var/log/syslog/firewall/myserverfilename*.log] TZ=Europe/Madrid

See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Regards,

Re: How to set the time zone/alias for syslog data

richgalloway — Mon, 17 May 2021 11:57:18 GMT

Have the syslog server put each source server's data into a different file. The Universal Forwarder should monitor each file. The inputs.conf file for the UF will have the appropriate TZ setting for each monitored file.

Re: How to set the time zone/alias for syslog data

AhmadKhattak20 — Tue, 18 May 2021 06:56:26 GMT

Hi @richgalloway , yes there is a different directory and file maintained. Although I've not used the inputs.conf to set the TZ property rather I've used the props.conf to set the TZ property.

Hi @javiergn, Yes, I've used this source stanza in the props.conf file however the events from the file still show up with UTC Timestamp.

Re: How to set the time zone/alias for syslog data

javiergn — Tue, 18 May 2021 07:21:25 GMT

Can you send a screenshot of the event's raw and _time?

Simple run your search:

index=foo sourcetype=bar source=yoursyslogsource | head 1 | table _time, _raw

And also confirm what your user timezone is within the interface:

Regards,

Re: How to set the time zone/alias for syslog data

richgalloway — Tue, 18 May 2021 12:53:22 GMT

You're right, the TZ property is set in props.conf, but it should be done on the UF.

Re: How to set the time zone/alias for syslog data

AhmadKhattak20 — Wed, 19 May 2021 04:48:56 GMT

Hi @javiergn ,

I ran the command that you gave me,

index=indexname sourcetype=syslog source=sourcename | head 1 | _raw, _time

The result that I got was the following, (only showing the timestamps result)

_raw	_time
May 19 04:30:01	2021-05-19 04:30:01

It seems that Splunk is still extracting the time stamp from the event data itself and not converting the UTC time stamp to the one being used in Splunk Preferences.

The time zone preference set in Splunk User Preferences is below

For reference what I've done in props.conf on the UF running on the Syslog Server is following,

[source::/path/*.log] TZ=UTC TZ_ALIAS=UTC

Re: How to set the time zone/alias for syslog data

javiergn — Wed, 19 May 2021 08:35:36 GMT

Hi @AhmadKhattak20,

Couple of things:

- You don't need the TZ_ALIAS. TZ = UTC is perfectly valid

- Where is this props.conf located within your Splunk installation directory?

- Can you also paste the value of your source so that we can validate the stanza? Use the following query

index=indexname sourcetype=syslog source=sourcename | head 1 | table _raw, _time, source

Re: How to set the time zone/alias for syslog data

AhmadKhattak20 — Wed, 19 May 2021 09:19:45 GMT

Hi @javiergn,

I've removed the TZ_ALIAS from the props.conf.

I'm pushing the app from the deployment server onto the Syslog Server where a Splunk UF is installed.

On the Syslog Server, this is located under /opt/splunk/etc/apps/custom-app-folder/local/props.conf

I ran the query that you mentioned and the results are following,

_raw	_time	source
May 19 09:10:01 ….	2021-05-19 09:10:01	/var/splunk/path/ipaddress/2021-05-19-servername.log

I verified that the source that was showing up in the query results is the same that I'm using in the props.conf stanza for source, (this props.conf is pushed on the syslog server - it is not present in any indexers/search head)

[source::/var/splunk/path/ipaddress/*.log] TZ = UTC

Re: How to set the time zone/alias for syslog data

javiergn — Wed, 19 May 2021 09:36:46 GMT

OK, I think I know what the problem is thanks to your answer.

Your props.conf needs to go to your indexer (or Intermediate/Heavy Forwarder if there is any before reaching the Indexer). That's because you are using a Universal Forwarder and the TZ setting in props.conf is applied at parsing time:

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

Re: How to set the time zone/alias for syslog data

AhmadKhattak20 — Wed, 19 May 2021 11:40:15 GMT

Thank you, I pushed the props.conf with the below stanza on indexers and now I'm getting expected results.

[source::/var/splunk/path/ipaddress/*.log] TZ = UTC

Re: How to set the time zone/alias for syslog data

javiergn — Wed, 19 May 2021 12:13:48 GMT

Great. Glad it worked.

Please don't forget to upvote the answers if you are happy with them.

Regards,