Running OpenSearch v 2.12.0
I have a syslog data stream and index setup with a mapping to add a @timestamp field with a date type. It seems like OpenSearch is using the timestamp in the message field to create the @timestamp field.
Here’s a sample of two docs that came in sequentially.
{
"_index": ".ds-logs-cribl-syslog-000001",
"_id": "ZSothzTRbULChLp2",
"_score": null,
"_source": {
"message": "91: *Mar 27 20:50:17.851: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: marty] [Source: 192.168.1.158] [localport: 22] at 20:50:17 UTC Wed Mar 27 2024",
"severity": 5,
"facility": 23,
"host": {
"name": "192.168.1.30"
},
"severityName": "notice",
"facilityName": "local7",
"_raw": "<189>91: *Mar 27 20:50:17.851: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: marty] [Source: 192.168.1.158] [localport: 22] at 20:50:17 UTC Wed Mar 27 2024",
"cribl_pipe": "open_search",
"@timestamp": "2024-03-27T20:50:18.894Z"
},
"sort": [
1711572618894
]
},
{
"_index": ".ds-logs-cribl-syslog-000001",
"_id": "DouIRY1HUNFe9bFH",
"_score": null,
"_source": {
"message": "[LAN_LOCAL-default-A]IN=eth1 OUT= MAC=e0:63:da:54:ab:15:3a:1f:2b:0f:5c:69:08:00 SRC=192.168.1.6 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=28764 DF PROTO=TCP SPT=8080 DPT=41088 WINDOW=501 RES=0x00 ACK FIN URGP=0 ",
"severity": 4,
"facility": 0,
"host": {
"name": "ubnt"
},
"appname": "kernel",
"severityName": "warning",
"facilityName": "kern",
"_raw": "<4>Mar 27 16:52:47 ubnt kernel: [LAN_LOCAL-default-A]IN=eth1 OUT= MAC=e0:63:da:54:ab:15:3a:1f:2b:0f:5c:69:08:00 SRC=192.168.1.6 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=28764 DF PROTO=TCP SPT=8080 DPT=41088 WINDOW=501 RES=0x00 ACK FIN URGP=0 ",
"cribl_pipe": "open_search",
"@timestamp": "2024-03-27T16:52:47.000Z"
},
"sort": [
1711558367000
]
}
Here is the mapping for this index:
{
"mappings": {
"_data_stream_timestamp": {
"enabled": true
},
"properties": {
"@timestamp": {
"type": "date"
},
"_raw": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"appname": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"cribl_pipe": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"facility": {
"type": "long"
},
"facilityName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"host": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"procid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"severity": {
"type": "long"
},
"severityName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
Is there a way to configure OpenSearch so that it always uses UTC for the @timestamp field?
Thanks