cancel
Showing results for 
Search instead for 
Did you mean: 
ksudki
Level 10

DHCP event time not correct

Jump to solution

Hello,

I am collecting DHCP events from 4 different servers world wide (HQ, US, BR)  and for some reasons one of them does not display the time correctly.

The issue is happening with a Brazilian server which is in GMT-3 Brasilia time zone.

The data source configuration is configured as described in the SIEM_Data_Source_Configuration_Microsoft_Windows_DHCP using MEF with time zone set to GMT-3 Brasilia time

Sample log

30,05/29/17,06:22:15,DNS Update Request,10.14.213.14,<hostname>,,,0,6,,,,,,,,,0

Will produce an event with wrong last_time in the ESM 09:38:43 (which correspond to GMT-3 06:38:43) which is wrong as the last_time should correspond to the time when the event was generated.

I already tried to install SIEM Collector 10 & 11 and reconfigured the data source on both ESM and collector multiple times but the issue is still there.

Anybody already faced such issue in the past and has a solution ?

Thank you in advance

0 Kudos
1 Solution

Accepted Solutions
ksudki
Level 10

Re: DHCP event time not correct

Jump to solution

Switching the timezone to Buenos Aires (GMT-3) resolved my issue.

I opened a service request to solve this issue

0 Kudos
3 Replies
sssyyy
Level 12

Re: DHCP event time not correct

Jump to solution

You might have to play around with the time zone settings. If you are 3 hrs ahead of Brazil, then the last time is correct, i assume your GUI time zone is set at Brazil + 3 hr zone?

0 Kudos
ksudki
Level 10

Re: DHCP event time not correct

Jump to solution

Correct, however the timezone is not the problem.

With my view in GMT+0, the calculation of the last_time is :

Event generated time - timezone offset = last_time

So in my case:

Event generated time - (-3) = last_time

Replacing with the values of the above sample:

06:22:15 +3 = 09:22:15

But the last_time I have for this event is 09:38:43 in the GUI

Can somebody explain why the parsing of the event is wrong ? Does MEF use the receive time instead of the time of the event sometimes ?

Again, this works well with similar data sources located in the US for example so I do not understand why it fails on this server.

0 Kudos
ksudki
Level 10

Re: DHCP event time not correct

Jump to solution

Switching the timezone to Buenos Aires (GMT-3) resolved my issue.

I opened a service request to solve this issue

0 Kudos