SNS ProTip for SIEM: Troubleshooting Future Events

Version 1

    To help you maximize your SIEM deployment, McAfee SNS ProTips deliver troubleshooting, best practices and how-to tips with links to in-depth KnowledgeBase resources.

    Issue: In a SIEM Enterprise Security Manager (ESM) 9.x device, red or yellow flags on data source devices are accompanied with a log message stating: “Last time stamp more than 1 hour in the future.”

    Cause: This error message appears if an event is received with an invalid time stamp, or if the time zone offset for a data source is incorrect which results in the incoming event having an incorrect time and date.

    Resolution: One solution is to determine where the logs are coming from and what time zone they are using and ensure that the time stamp in the event matches the correct time zone. Instructions on how to do this can be found in KB82390 — Troubleshooting future events with SIEM.

    While incorrectly configured time zones are the primary cause of future events, in some cases, the time zone is correct, but the time stamp is not. This can be caused by a bad clock or date on the data source. In this case, fixing the device should resolve the issue.

    For more resources, visit the McAfee KnowledgeBase and search for SIEM-related KBs.