Add timezone metadata

[joshuaspence]

There are a few log formats that I am parsing with Filebeat + Logstash in which the logs contain a timestamp but no timezone. For example, here is a log event from nginx error logs:

2016/10/30 19:40:06 [error] 10522#10522: *42075309 broken header: "" while reading PROXY protocol, client: x.x.x.x, server: 0.0.0.0:443

In all of the cases I have seen, the timestamp is logged in the local timezone (that is, the timezone of the host on which Filebeat is running). The problem, however, is that Logstash doesn't have enough information from which the host's timezone can be inferred. Consequently, Logstash ingests the log event using the local timezone for the host that is running Logstash (which may or may not be the same as the timezone of the host which is running Filebeat).

Obviously, it would be great if all logs could contain enough information such that the timestamp is unambigious, but this is overly ambitious. Instead, it would be great if Filebeat could add a [beat][timezone] field to all log events processed. This field could then be used in Logstash with the date filter.

[ruflin]

A potential solution here could be that you write the timezone of your server to an environment variable and add it as one of the fields variable to the config file.

fields: 
- timezone: ${TIMEZONE}

Like this you will have the timezone information in each event.

[def324]

I'd love to have this feature as well. The problem with the environment variable is that it would break if the server timezone gets updated. On the other hand if beats handles it natively it could always send the current up to date timezone.

[ruflin]

@def324 Can you share the use case where the TIMEZONE of a server would change of its lifetime?

[def324]

I had a situation where we consolidated servers that were previously managed by different departments. Some preferred to have their servers in EST, some in UTC. We ended up changing them all to UTC to bring them to one standard.

I guess one way would be to write the TIMEZONE variable on startup or on start of the beat, but I'm thinking having it integrated would be a cleaner approach.

[monicasarbu]

We added support for timezone in all Beats to export beat.timezone in case the add_locale processor is configured:

processors:
 - add_locale: