[syslog-ng] Elasticsearch destination and time-zone info

[Evan Rempel]

We are in the process of integrating our logging infrastructure into elasticsearch with Kibana, but have a slight challenge regarding time zones.

Some of our equipment will only log in UTC time. This is not an issue because Kibana does time presentation in localtime.
Most of our hosts log with our local timezone. This all works out fine due to the way kibana displays the logs - localtime.

The problem is that the elasticsearch indexes roll over based on some template (XXXX-YYYY-MM-DD) or such, and this template
will an incorrect set of messages. For example, I live in time zone -7:00. This means that any messages after 17:00 (17:00 + 7:00 = 00:00 the next day)
that were logged with UTC will go into the index for the next day.

So, is there any way to set the time-zone option for the elasticsearch destination?

Alternatively, are there any date templates where I could do something like

$(timezone UTC $ISODATE)
$(timezone UTC $HOUR)

in my template?

Any help would be appreciated.


-- 
Evan Rempel                                      erempel at uvic.ca
Senior Systems Administrator                        250.721.7691
Data Centre Services, University Systems, University of Victoria