Im parsing W3C IIS logs and I'm using what I found in this article as a starter.
But this part of his logstash config Im unsure of:
## Set the Event Timesteamp from the log
#
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}
log_timestamp comes from: match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp}.....
My question is why is he using "Etc/UTC" and not just "UTC"? This is the only example I could find online of a logstash config using "Etc/UTC".
Is this necessary because of IIS? What would happen if I just did UTC? They should be identical (etc/UTC just the "long" name) but I want to confirm.
The supported timezones for the date filter are listed here:
http://joda-time.sourceforge.net/timezones.html
Etc/UTC is one of the allowed timezones for Universal Time Coordinated. UTC is also an allowed value. They're synonyms.