Getting Data In
Highlighted

Are Windows Eventlogs from windows forwarder lacking timezone

Communicator

I'm trying to get a configuration going with light forwarders on many windows servers in different timezones.

It appears that a windows light forwarder does not include timezone info with the WinEvenLog input sources.

Has anyone succeeded in sorting out windows eventlog timestamps in such a configuration? Am i crazy and am missing a simple fix? I really don't want to declare the timezone in props.conf for each windows host individually.

Highlighted

Re: Are Windows Eventlogs from windows forwarder lacking timezone

Communicator

Additional info: playing with splunkd light forwarder on windows, i see that it sends rawdata with a timestamp reflecting whatever timezone the server was in when splunkd started. For example, changing the server timezone will not immediately change the timestamps logged by splunk.

Maybe it has something to do with the API splunk uses to get Eventlog data. It'd be nice if it included timezone in the forwarded message, though.

0 Karma
Highlighted

Re: Are Windows Eventlogs from windows forwarder lacking timezone

Legend

You are correct. This is a bad flaw in the Splunk Windows input processors. I am surprised I do not see more about this here on answers.splunk.com. Another related flaw is the use of two-digit years, but whatever.

Please file an enhancement request on this. Unfortunately I don't have a solution for you other than to either configure the timezone on the indexers, or to start the Splunk process under the same time zone as the indexers. Neither is a good solution. Another way to fix this would be for the Splunk forwarders to be able to pass the timezone of an input down in the metadata (the way it can pass host, sourcetype, source, index, etc.) But this is also currently impossible.

View solution in original post

Highlighted

Re: Are Windows Eventlogs from windows forwarder lacking timezone

Communicator

Thank you for the confirmation. Maybe managing each non-standard timezone host individually in props.conf isn't the end of the world. I guess i might later run into problems if i collect other logs flatfile inputs that are in UTC on that host but without a timezone. Enhancement request is filed. 🙂

0 Karma