Once you’re running syslog-ng | logstash | elasticsearch for to archive all the syslogs from your servers, there is probably something you didn’t noticed: syslog don’t care about year.
So when 2015 coming, Logstash don’t know about it and push into elasticsearch the year of it’s last starts. So your January 2015 syslogs coming to January 2014 ones…
How I fixed it ? I’ve restarted logstash when I understood the problem, but it was somehow too late.
Some solution is explained here: https://discuss.elastic.co/t/syslog-date-without-year/29834 but you need some more code to handle the year move and using @timestamp don’t allow you to replay piece of logs when you need…