Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 6

Possible Event Time Mismatch


I am new to SIEM. I've noticed alarm "Possible Event Time Mismatch" for few data sources.

Can you please explain to me what does it indicate and how could it be solved.

Thanks a lot

5 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Possible Event Time Mismatch

Moved from Security Awareness > Security Information and Event Management > Discussions

For better assistance.



McAfee Volunteer

Re: Possible Event Time Mismatch

I'm noticing the same behavior in my environment.  Just configured an ESXi v6 host to send syslog to the receiver, and created the appropriate data source.  Configured the NTP server and time in the web configuration settings.  Validated was receiving communication to the receiver using tcpdump, then I started getting the 'Possible Event Time Mismatch Alarms.'  Did an SSH session to the ESXi host and entered the command to check the current time.  Even thought the web config looked like it was using the local time zone, the host was set to GMT.  Changed the data source configuration in ESM from local time zone to GMT.


Re: Possible Event Time Mismatch

The message "Posssible event time mismatch" indicates that the logs the ESM is receiving are in the future or the past. The most common cause is that the time zone setting on the datasource is incorrect. The timezone should match the timezone in the logs. As dogray7722 found, the logs were actually in GMT time and so he had to modify the datasource configuration to match.

Re: Possible Event Time Mismatch

Every now and then I can see in the Receiver device log:

Event timestamp too old, will not be processed: <date>

The entry does not mention a data source name, only the name of the receiver. Do you know how to find out which datasource is triggering this?

Reliable Contributor penoffd
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Possible Event Time Mismatch

You might want to look at the time deltas for your devices.  That can sometimes give you some insight as to what devices are getting out of sync, or taking an inordinate time to report in or send logs to the receiver.  In our case we see some serious latency with Symantec AV which we have never been able to resolve.  You can find time deltas by going to the properties menu for the receiver and clicking on "Receiver Management > Time Delta"

Receiver Properties.JPG

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community