I did take a look but did not find anything I can pin to that behaviour.
I just tested it a bit and I think it has nothing to do with the ruleset. I deactivated the ruleset and created a simple catch-all rule and it shows the same behaviour.
If I look at the history of events I can see the correct time for entry in logfile.
But Time of last occurrance is in the past which is strange…
If I go to the Event Rule Set and generate the event manually everything is fine
I enabled the debug mode for a short time and catched an logon error event.
It looks like there is some error in event.py but I dont know if this is relevant to that?
2023-08-22 15:57:42,361 [20] [cmk.mkeventd.EventServer] processing message from host ip.253, port 15190: "<185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712662363374008 tz="+0200" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui=
"https(ip.103)" method="https" srcip=ip.103 dstip=ip.253 action="login" status="failed" reason="name_invalid" msg="Administrator testerei login failed from https(103) because of invalid user name""
2023-08-22 15:57:42,361 [40] [cmk.mkeventd.EventServer] could not parse message "<185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712
662363374008 tz="+0200" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui="https(ip.103)" method="h
ttps" srcip=ip.103 dstip=ip.253 action="login" status="failed" reason="name_invalid" msg="Administrator testerei login failed from https(ip.103) because of invalid use
r name"" ('date=2023-08-22')
Traceback (most recent call last):
File "/omd/sites/name/lib/python3/cmk/ec/event.py", line 79, in create_event_from_line
event = parse_message(line, ipaddress)
File "/omd/sites/name/lib/python3/cmk/ec/event.py", line 227, in parse_message
month = _MONTH_NAMES[month_name]
KeyError: 'date=2023-08-22'
2023-08-22 15:57:42,362 [20] [cmk.mkeventd.EventServer] parsed message:
application:
core_host: None
facility: 1
host:
host_in_downtime: False
ipaddress: ip.253
pid: 0
priority: 0
text: <185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712662363374008 tz="+0200" logid="0100032002" type="event" subtyp
e="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui="https(ip.103)" method="https" srcip=ip.103 dstip=ip.253 action="login" statu
s="failed" reason="name_invalid" msg="Administrator testerei login failed from https(ip.103) because of invalid user name"
time: 1692340081.7687554
2023-08-22 15:57:42,362 [20] [cmk.mkeventd.EventServer] Rule would not match, but due to inverted matching does.
2023-08-22 15:57:42,362 [20] [cmk.mkeventd.EventServer] matching groups:
{}
2023-08-22 15:57:42,363 [20] [cmk.mkeventd.EventServer] skipping this rule pack (FW-FORWARD-1)
2023-08-22 15:57:42,363 [20] [cmk.mkeventd.EventServer] Rule would match, but due to inverted matching does not.
2023-08-22 15:57:42,364 [20] [cmk.mkeventd.EventServer] matching groups:
{'match_groups_message': ('Admin login failed',)}
2023-08-22 15:57:42,367 [20] [cmk.mkeventd] Event 88628: NEW// - <185>date=2023-08-22 time=15:57:42 devname="FGT" devid="FGT" eventtime=1692712662363374008 tz=
"+0200" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testerei" ui="https(ip.103)" method="https" srcip=10.3
3.1.103 dstip=ip.253 action="login" status="failed" reason="name_invalid" msg="Administrator testerei login failed from https(ip.103) because of invalid user name"