Hi, I was wondering how Crowdsec handles log format? As far I know Crowdsec by default parse logs in UTC but how if the log following server time and doesn’t have any timezone? Can help me understand how Crowdsec will handle the logs below:
2025-03-22 18:07:03.095+0800
2025-03-22 18:07:03.095 +0800
2025-03-22 18:07:03.095
Is it possible to set Crowdsec in the same timezone with the host machine?
If the log 2025-03-22 18:07:03.095 like this then do Crowdsec assume the timezone is +0000 or can we adjust the timezone in Crowdsec in that particular machine? Anyone??
So there is 2 modes in CrowdSec live and timemachine.
Live is well live so the timestamp in the log is ignored as we only care about our runtime datetime (which is UTC by default).
Timemachine cares about the timestamp because when we processing old logs we cannot presume they are not so we take the timestamp and parse it offset to UTC time so for example if you log shows +0800 the alert will still triggers but will show the timestamp + 8 hours.
Hopefully that is easy to understand.
If you wish to alter the timezone that CrowdSec is operating in then you must set the TZ variable within the systemd configuration file like so:
# /etc/systemd/system/crowdsec.service
[Unit]
Description=Crowdsec agent
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=notify
Environment=LC_ALL=C LANG=C
ExecStartPre=/usr/local/bin/crowdsec -c /etc/crowdsec/config.yaml -t -error
ExecStart=/usr/local/bin/crowdsec -c /etc/crowdsec/config.yaml
#ExecStartPost=/bin/sleep 0.1
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/crowdsec.service.d/override.conf
[Service]
Environment=TZ=Europe/Paris
Thank you so much for the explanation 
