cancel
Showing results for 
Search instead for 
Did you mean: 
mvidic
Level 7
Report Inappropriate Content
Message 1 of 6

Possible Event Time Mismatch

Hi,

I am new to SIEM. I've noticed alarm "Possible Event Time Mismatch" for few data sources.

Can you please explain to me what does it indicate and how could it be solved.

Thanks a lot

5 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Possible Event Time Mismatch

Moved from Security Awareness > Security Information and Event Management > Discussions

For better assistance.


Cliff

Moderator

Cliff
McAfee Volunteer

Re: Possible Event Time Mismatch

I'm noticing the same behavior in my environment.  Just configured an ESXi v6 host to send syslog to the receiver, and created the appropriate data source.  Configured the NTP server and time in the web configuration settings.  Validated was receiving communication to the receiver using tcpdump, then I started getting the 'Possible Event Time Mismatch Alarms.'  Did an SSH session to the ESXi host and entered the command to check the current time.  Even thought the web config looked like it was using the local time zone, the host was set to GMT.  Changed the data source configuration in ESM from local time zone to GMT.

Highlighted

Re: Possible Event Time Mismatch

The message "Posssible event time mismatch" indicates that the logs the ESM is receiving are in the future or the past. The most common cause is that the time zone setting on the datasource is incorrect. The timezone should match the timezone in the logs. As dogray7722 found, the logs were actually in GMT time and so he had to modify the datasource configuration to match.

Re: Possible Event Time Mismatch

Every now and then I can see in the Receiver device log:

Event timestamp too old, will not be processed: <date>

The entry does not mention a data source name, only the name of the receiver. Do you know how to find out which datasource is triggering this?

penoffd
Level 10
Report Inappropriate Content
Message 6 of 6

Re: Possible Event Time Mismatch

You might want to look at the time deltas for your devices.  That can sometimes give you some insight as to what devices are getting out of sync, or taking an inordinate time to report in or send logs to the receiver.  In our case we see some serious latency with Symantec AV which we have never been able to resolve.  You can find time deltas by going to the properties menu for the receiver and clicking on "Receiver Management > Time Delta"

Receiver Properties.JPG

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator