Okay, I think setting the servers to UTC handled the storage side of things. However, the web side was still messed up until I changed the timezone in web.conf to UTC and restarted graylog-webserver.
All seems to be functioning now, I watch the event stream and it's getting logged with the correct time. I'm thinking the handoff from syslog-ng to Graylog may have been what was confusing things on the service side, syslog-ng was already handing UTC times to Graylog (since the events were coming from the cloud, which operates in UTC because there's no "local" time there), and then Graylog assumed they were localtime syslogs and added another 8-hour offset to turn them into UTC. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/d399cb35-c471-4b0e-b5b0-d4fbec36f6fe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
