cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Last Time Values more than one hour in the future

I'd appreciate it. This issue causes problem when monitoring via gauges, as they are not included in "current" or real-time stats. Which means we could be encountering a security problem and not realize it since it isn't included in the views as defined by SIEMs out-of-box.

Reliable Contributor penoffd
Reliable Contributor
Report Inappropriate Content
Message 12 of 17

Re: Last Time Values more than one hour in the future

Here is what we found and what was done to resolve the situation.  No guarantees that your situation is the same, but if not it might give you some additional ideas to pursue:

My local VAR (not SE, sorry about the confusion) dug into the device settings and found that in the case of the Cisco VPN concentrator that it was configured to "Log unknown syslog events" in the "Support Generic Syslogs" section of the device profile.  This resulted in the erroneous interpretation of logs that were coming from the device that could not be parsed using the data source model.  These events created an auto generated event in the profile as well.

By changing the setting to "Do nothing" and enabling the Logging function so that we would continue to capture whatever logs did come from the device, we were able to eliminate the nuisance log errors.

We made similar changes for the Imprivata appliance as well.

These changes were done on Friday afternoon and since that time we have not logged any "future" events.

Message was edited by: penoffd on 5/12/14 2:57:36 PM CDT

Re: Last Time Values more than one hour in the future

Thanks..

I will see if that helps.

Re: Last Time Values more than one hour in the future

Good day everybody.

I have noticed the same issue with my ESM and Mcafee Firewall Enterprise Integration after step by step software update from 9.1.4 to 9.4.2 version.

1. McAfee Firewall Enterprise data source configuration (time zone GMT+06)

FWE_data_source.png

2. McAfee Firewall Enterprise date and time zone config

FWE_time.png

3. Audit view in Firewall Enterprise shows proper time format as desired

FWE_Audit.png

but in SIEM event distribution drilldown the time format is one hour ahead

Events.png

Re: Last Time Values more than one hour in the future

Suddenly I have found that if I change the data source's property time zone to grinwich GMT+00 jn SIEM, the events began correctly display in SIEM. So I conclude the main reason was time zone misconfiguration, which relatively linked with such kind of situation when ther is no proper choise of time zone neither in siem nor firewall enterprise.

Re: Last Time Values more than one hour in the future

This was answered long ago with KB article that finally came out. The standard is to set all the devices within the SIEM to UTC (GMT Dublin) . Sorry I wasn't online to give you feed back. Could have saved you a bunch of work.

tiwake
Level 7
Report Inappropriate Content
Message 17 of 17

Re: Last Time Values more than one hour in the future

Pepelepuu, could you please share me the link of your mention KB article? Thanks in advance.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community