I am collecting DHCP events from 4 different servers world wide (HQ, US, BR) and for some reasons one of them does not display the time correctly.
The issue is happening with a Brazilian server which is in GMT-3 Brasilia time zone.
The data source configuration is configured as described in the SIEM_Data_Source_Configuration_Microsoft_Windows_DHCP using MEF with time zone set to GMT-3 Brasilia time
30,05/29/17,06:22:15,DNS Update Request,10.14.213.14,<hostname>,,,0,6,,,,,,,,,0
Will produce an event with wrong last_time in the ESM 09:38:43 (which correspond to GMT-3 06:38:43) which is wrong as the last_time should correspond to the time when the event was generated.
I already tried to install SIEM Collector 10 & 11 and reconfigured the data source on both ESM and collector multiple times but the issue is still there.
Anybody already faced such issue in the past and has a solution ?
Thank you in advance
Solved! Go to Solution.
You might have to play around with the time zone settings. If you are 3 hrs ahead of Brazil, then the last time is correct, i assume your GUI time zone is set at Brazil + 3 hr zone?
Correct, however the timezone is not the problem.
With my view in GMT+0, the calculation of the last_time is :
Event generated time - timezone offset = last_time
So in my case:
Event generated time - (-3) = last_time
Replacing with the values of the above sample:
06:22:15 +3 = 09:22:15
But the last_time I have for this event is 09:38:43 in the GUI
Can somebody explain why the parsing of the event is wrong ? Does MEF use the receive time instead of the time of the event sometimes ?
Again, this works well with similar data sources located in the US for example so I do not understand why it fails on this server.