Trouble with log stash @timestamp

Question

I have set up ELK on my laptop and I am having trouble with the timestamp field. My input file looks like this ... (one line so far)

Chckpoint 502 10.189.7.138 Allow 18 Mar 2015 15:00:01

My code looks like this ..

input {
  file {
    path => "/usr/local/bin/firewall_log"
  }
}

filter {
  grok {
    match => {"message", "%{WORD:type} %{NUMBER:nums} %{IP:sourceip} %{WORD:Action}"}
   add_tag => "checkpoint"
  }

date {
  match => {"DATETIME" => "%{dd mmm yyyy hh:mm:ss}"}
  target => "@timestamp"
}
}

output {
  elasticsearch { host => localhost }

When I run it, I get the following result

"message" => "Chckpoint 502 10.189.7.138 Allow 18 Mar 2015 15:00:01   ",
      "@version" => "1",
    "@timestamp" => "2015-04-30T19:02:21.663Z",
          "host" => "UOD-220076",
          "path" => "/usr/local/bin/firewall_log",
          "type" => "Chckpoint",
          "nums" => "502",
      "sourceip" => "10.189.7.138",
        "Action" => "Allow",
          "tags" => [
        [0] "checkpoint"

This is fine EXCEPT for the timestamp - it shows todays date but what I want it to do is set the timestamp to what is in the log file, in this case, 18 Mar 2015 15:00:01. Help please.

Answer 1

That's what the date{} filter will do for you, if you give it the right info.

First, define a custom pattern for your timestamp:

MYTIMESTAMP %{MONTHDAY} %{MONTH} %{YEAR} %{TIME}

Then add it to your grok pattern so you get a new field:

%{WORD:type} %{NUMBER:nums} %{IP:sourceip} %{WORD:Action} %{MYTIMESTAMP:mytime}

Then you can pass the mytime variable to the date filter:

date {
  match => {"mytime" => "dd MM YYYY HH:mm:ss"}
}