I'd appreciate it. This issue causes problem when monitoring via gauges, as they are not included in "current" or real-time stats. Which means we could be encountering a security problem and not realize it since it isn't included in the views as defined by SIEMs out-of-box.
Here is what we found and what was done to resolve the situation. No guarantees that your situation is the same, but if not it might give you some additional ideas to pursue:
My local VAR (not SE, sorry about the confusion) dug into the device settings and found that in the case of the Cisco VPN concentrator that it was configured to "Log unknown syslog events" in the "Support Generic Syslogs" section of the device profile. This resulted in the erroneous interpretation of logs that were coming from the device that could not be parsed using the data source model. These events created an auto generated event in the profile as well.
By changing the setting to "Do nothing" and enabling the Logging function so that we would continue to capture whatever logs did come from the device, we were able to eliminate the nuisance log errors.
We made similar changes for the Imprivata appliance as well.
These changes were done on Friday afternoon and since that time we have not logged any "future" events.Message was edited by: penoffd on 5/12/14 2:57:36 PM CDT
Good day everybody.
I have noticed the same issue with my ESM and Mcafee Firewall Enterprise Integration after step by step software update from 9.1.4 to 9.4.2 version.
1. McAfee Firewall Enterprise data source configuration (time zone GMT+06)
2. McAfee Firewall Enterprise date and time zone config
3. Audit view in Firewall Enterprise shows proper time format as desired
but in SIEM event distribution drilldown the time format is one hour ahead
Suddenly I have found that if I change the data source's property time zone to grinwich GMT+00 jn SIEM, the events began correctly display in SIEM. So I conclude the main reason was time zone misconfiguration, which relatively linked with such kind of situation when ther is no proper choise of time zone neither in siem nor firewall enterprise.
This was answered long ago with KB article that finally came out. The standard is to set all the devices within the SIEM to UTC (GMT Dublin) . Sorry I wasn't online to give you feed back. Could have saved you a bunch of work.