winevtlog input returns wrong timezone offset in TimeCreated during CET (non-DST) #11213
Description
Bug Report
Describe the bug
When using the winevtlog input with Fluent Bit on a Windows machine set to the timezone W. Europe Standard Time, the TimeCreated field returns an incorrect timezone offset.
Currently, the system is in CET (UTC+1), but Fluent Bit returns +0200 as the offset, which corresponds to CEST (UTC+2) (daylight saving time).
In comparison, the older winlog input module returns the correct offset (+0100) in the TimeGenerated field.
Tested with:
- Fluent Bit v4.0.10
- Fluent Bit v4.2.0
To Reproduce
On a Windows machine with timezone Central Europe, run:
"C:\Program Files\fluent-bit\bin\fluent-bit.exe" -i winevtlog -p Channels=System -o stdoutduring a non-daylight-saving period.
e.g.
C:\>"C:\Program Files\fluent-bit\bin\fluent-bit.exe" -i winevtlog -p Channels=System -o stdout
Fluent Bit v4.2.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io
______ _ _ ______ _ _ ___ _____
| ___| | | | | ___ (_) | / | / __ \
| |_ | |_ _ ___ _ __ | |_ | |_/ /_| |_ __ __/ /| | `' / /'
| _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / / /_| | / /
| | | | |_| | __/ | | | |_ | |_/ / | |_ \ V /\___ |_./ /___
\_| |_|\__,_|\___|_| |_|\__| \____/|_|\__| \_/ |_(_)_____/
Fluent Bit v4.2 ΓÇô Direct Routes Ahead
Celebrating 10 Years of Open, Fluent Innovation!
[2025/11/26 11:40:46.971942200] [ info] [fluent bit] version=4.2.0, commit=6bc014390c, pid=12652
[2025/11/26 11:40:46.974853000] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2025/11/26 11:40:46.974886600] [ info] [simd ] disabled
[2025/11/26 11:40:46.974898600] [ info] [cmetrics] version=1.0.5
[2025/11/26 11:40:46.974918800] [ info] [ctraces ] version=0.6.6
[2025/11/26 11:40:46.975436300] [ info] [input:winevtlog:winevtlog.0] initializing
[2025/11/26 11:40:46.975465400] [ info] [input:winevtlog:winevtlog.0] storage_strategy='memory' (memory only)
[2025/11/26 11:40:46.978534000] [ info] [sp] stream processor started
[2025/11/26 11:40:46.979255000] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2025/11/26 11:40:46.982491900] [ info] [output:stdout:stdout.0] worker #0 started
[0] winevtlog.0: [[1764153712.989395700, {}], {"ProviderName"=>"Service Control Manager", "ProviderGuid"=>"{555908D1-A6D7-4695-8E1E-26931D2012F4}", "Qualifiers"=>16384, "EventID"=>7036, "Version"=>0, "Level"=>4, "Task"=>0, "Opcode"=>0, "Keywords"=>"0x8080000000000000", "TimeCreated"=>"2025-11-26 11:41:51 +0200", "EventRecordID"=>168822, "ActivityID"=>"{C122DD77-B60F-45C2-A0CD-8E47F14C0981}", "RelatedActivityID"=>"", "ProcessID"=>728, "ThreadID"=>6256, "Channel"=>"System", "Computer"=>"XXXXXX", "UserID"=>"", "Message"=>"The AppX Deployment Service (AppXSVC) service entered the stopped state.", "StringInserts"=>["AppX Deployment Service (AppXSVC)", "stopped", "41007000700058005300760063002F0031000000"]}]
[0] winevtlog.0: [[1764153727.985859400, {}], {"ProviderName"=>"Service Control Manager", "ProviderGuid"=>"{555908D1-A6D7-4695-8E1E-26931D2012F4}", "Qualifiers"=>16384, "EventID"=>7036, "Version"=>0, "Level"=>4, "Task"=>0, "Opcode"=>0, "Keywords"=>"0x8080000000000000", "TimeCreated"=>"2025-11-26 11:42:06 +0200", "EventRecordID"=>168823, "ActivityID"=>"{F78767F8-FA2C-4A88-AC6C-591A411BD765}", "RelatedActivityID"=>"", "ProcessID"=>728, "ThreadID"=>12612, "Channel"=>"System", "Computer"=>"XXXXXX", "UserID"=>"", "Message"=>"The Windows Modules Installer service entered the stopped state.", "StringInserts"=>["Windows Modules Installer", "stopped", "540072007500730074006500640049006E007300740061006C006C00650072002F0031000000"]}]
[2025/11/26 11:42:14] [engine] caught signal (SIGINT)
[2025/11/26 11:42:15.39169500] [ warn] [engine] service will shutdown in max 5 seconds
[2025/11/26 11:42:15.39226500] [ info] [engine] pausing all inputs..
[2025/11/26 11:42:15.39242000] [ info] [input] pausing winevtlog.0
[2025/11/26 11:42:16.42104400] [ info] [engine] service has stopped (0 pending tasks)
[2025/11/26 11:42:16.42162900] [ info] [input] pausing winevtlog.0
[2025/11/26 11:42:16.42232800] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2025/11/26 11:42:16.42814400] [ info] [output:stdout:stdout.0] thread worker #0 stopped
TimeCreated part output:
[0] winevtlog.0: [[1764153712.989395700, {}], {"TimeCreated"=>"2025-11-26 11:41:51 +0200", ...}]
The timestamp is correct, but the offset should be +0100 instead of +0200.
Expected behavior
The winevtlog input should return the correct timezone offset for the local timestamp, regardless of daylight saving time.
Your Environment
- Version: 4.0.10 and 4.2.0
- Input plugin:
winevtlog - OS: Windows Server 2022 Standard (VMware)
- Timezone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
System details:
OS Name: Microsoft Windows Server 2022 Standard
OS Version: 10.0.20348 N/A Build 20348
System Manufacturer: VMware, Inc.
System Model: VMware7,1
Processor(s): Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~3000 Mhz
Time Zone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
C:\>w32tm /tz
Time zone: Current:TIME_ZONE_ID_STANDARD Bias: -60min (UTC=LocalTime+Bias)
[Standard Name:"W. Europe Standard Time" Bias:0min Date:(M:10 D:5 DoW:0)]
[Daylight Name:"W. Europe Daylight Time" Bias:-60min Date:(M:3 D:5 DoW:0)]
C:\>tzutil /g
W. Europe Standard Time
Additional context
This issue was previously reported as #8086 but was closed as stale.