Time format not handled properly

[herangstl]

I use Fluent Bit (v1.6.3) -> Gelf -> Graylog

Depending on the time of year, the timestamps from my logfiles are off by 1 or 2 hours in Graylog.

On my machines, the output of

date +"%Z %z"

shows in winter: CET +0100
and in summer: CEST +0200

/etc/timezone is set to "Europe/Berlin"

My logfiles look like this:

2020-11-20 12:20:46,788	INFO 	[pool-4-thread-1]	[user.name.id=ffb2c7919e746423]

This "12:20:46,788" ends up as "13:20:46,788" in Graylog (Elasticsearch).

The relevant part of my Fluent Bit configuration:

[PARSER]
    Name p_multiline
    Format regex
    Regex ^(?<timestamp>20\d{2}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})\s+(?<level>[^\s]+)\s+\[(?<thread>[^\t\n]*)\]\s+\[(?<pro_properties>[^\t\n]*)\]\s+(?<full_message>.*)

[PARSER]
    Name p_extract_timestamp
    Format regex
    Regex ^(?<time>.*)
    Time_Key time
    Time_Format %Y-%m-%d %H:%M:%S,%L

As a workaround I added "Time_Offset +0200" in summer and "Time_Offset +0100" in winter - but this means I have to change all my Fluent Bit configurations two times a year on all my hosts, which is a pita.

It seems Fluent Bit always assumes timestamps are in UTC - and does not care about the machines timezone. Imho it would be better if Fluent Bit would assume: "timezone in logfile = timezone of host machine".

After reading #2388 I was hoping this is fixed now - but it seems its not. I am using v1.6.3.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.