I've been having some troubles with the times in our SIEM.
The first issue is that the user time displayed doesn't account for daylight savings time, so for me in the MST timezone it currently shows as an hour later than the actual time. Is there an easy way to fix this? The only option I see is to change the time zone/date format for the individual user who is logged in to the GMT-0:07 PST which isn't correct. Is there an option somewhere to adjust this based on daylight savings?
I'm not sure if it is related or not, but I've noticed that our ESM system clock doesn't stay synchronized with our NTP server. After a couple of weeks or so it becomes out of sync, any suggestions? Anything I can check?
First, best practice woud be to have all of your SIEM applicances running on UTC time. Also, if the ESM is pulling time from an NTP server, have you ensure that it was properly configured? Is the ntpd service running on the ESM?
From there, like you said, user time is adjusted on each account. Additionally, you can take advantage of the Time Delta feature in 9.5.0 to determine if your data sources were configured with the wrong time zone, which is a very useful feature. Not sure if I was able to help or not but hopefully I provided some insight.
What was the solution to the Daylight savings Time Delta issue with McAfee SIEM and data sources go into it? Today the time change backwards (1 hour back) and I am experiencing the same issue. So what I did is Edit the Source and "Write" it and it figured out the correct time. What a pain; this should be automatic.