cancel
Showing results for 
Search instead for 
Did you mean: 

'Last Time' values more than one hour in the future

Jump to solution

Hello,

One of our receivers logs the following message every 10 minutes:

     Events retrieved contained possibly incorrect values: 8 events with 'Last Time' values more than one hour in the future

The number of events in the different messages varies appr. from 5 to 30.

How can I determine which one of the sources produces logs with a timestamp in the future?

This receiver has about 10 active data sources, including 2 syslog relay servers handling respectively 10 and appr. 40 devices.

Thanks,

Marc.

1 Solution

Accepted Solutions
Highlighted

Re: 'Last Time' values more than one hour in the future

Jump to solution

There are a couple of ways you can deternime this.

1) When you are looking at the Receiver logs, you'll probably notice there's a small gold funnel icon in the top left corner.  When you first open the log viewer, it's typically filtered to show only the "Status" events...the events with a flag.  If you clear that filter (click on it, select "Show All") you'll see additional logs.  The one immediately above the "Events retrieved with possible incorrect values" log should show you the problem data source.

2) If you open any view and choose a time frame that includes some time in the future ("Current Day" is often a god choice here) you should be able to quickly see what events are coming in with future time stamps.

Scott

3 Replies
Highlighted

Re: 'Last Time' values more than one hour in the future

Jump to solution

There are a couple of ways you can deternime this.

1) When you are looking at the Receiver logs, you'll probably notice there's a small gold funnel icon in the top left corner.  When you first open the log viewer, it's typically filtered to show only the "Status" events...the events with a flag.  If you clear that filter (click on it, select "Show All") you'll see additional logs.  The one immediately above the "Events retrieved with possible incorrect values" log should show you the problem data source.

2) If you open any view and choose a time frame that includes some time in the future ("Current Day" is often a god choice here) you should be able to quickly see what events are coming in with future time stamps.

Scott

Re: 'Last Time' values more than one hour in the future

Jump to solution

Thanks Scott!

Your first suggestion worked like a charm! As you suggested, I can confirm that the data source that generates the discarded events is mentioned in a "non-status" message.

Your second suggestion then helped me identify these events, and like I saw in another post on this subject, these messges come from "unkown events" (events not recognized by the parsing rule). It's funny that a few fields (for example, source IP, host and timestamps) in unrecognized events can still be parsed. The timestamps are in the Eastern timezone, so the ESM with its GMT timezone sees the events as being 4 hours in the future.

I identified the exact reason why this happens: there is an optionanl field containing the VPN username after the first IP address in our ASA logs that is not accounted for in the parsing rules of signature IDs 278-305011 ("Built dynamic/static TCP/UDP/ICMP translation") and 278-305012 ("Teardown dynamic/static TCP/UDP/ICMP translation").

(I know I could get rid of those by choosing "Do nothing" instead of "Log unknown events" in the data source configuration, but I prefer to see unrecognized events instead of ignoring them - if "Do nothing" hed been selected in this case, I would never have known that certain events were ignored).

Thanks again,

Marc.

Re: 'Last Time' values more than one hour in the future

Jump to solution

Glad you got to the bottom of it, Marc.  I hope you'll submit an enhancement request to have the rules updated to take into account the additional field.  Parser enhancement requests can be submitted via the following portal:

https://mcafee.acceptondemand.com/

Here's a doc that provides guidance on data that is helpful in these situations.

McAfee_ESM_Parser_Request_Checklist.pdf

https://community.mcafee.com/docs/DOC-5959

Cheers!

Scott

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community