I am new to SIEM. I've noticed alarm "Possible Event Time Mismatch" for few data sources.
Can you please explain to me what does it indicate and how could it be solved.
Thanks a lot
I'm noticing the same behavior in my environment. Just configured an ESXi v6 host to send syslog to the receiver, and created the appropriate data source. Configured the NTP server and time in the web configuration settings. Validated was receiving communication to the receiver using tcpdump, then I started getting the 'Possible Event Time Mismatch Alarms.' Did an SSH session to the ESXi host and entered the command to check the current time. Even thought the web config looked like it was using the local time zone, the host was set to GMT. Changed the data source configuration in ESM from local time zone to GMT.
The message "Posssible event time mismatch" indicates that the logs the ESM is receiving are in the future or the past. The most common cause is that the time zone setting on the datasource is incorrect. The timezone should match the timezone in the logs. As dogray7722 found, the logs were actually in GMT time and so he had to modify the datasource configuration to match.
Every now and then I can see in the Receiver device log:
Event timestamp too old, will not be processed: <date>
The entry does not mention a data source name, only the name of the receiver. Do you know how to find out which datasource is triggering this?
You might want to look at the time deltas for your devices. That can sometimes give you some insight as to what devices are getting out of sync, or taking an inordinate time to report in or send logs to the receiver. In our case we see some serious latency with Symantec AV which we have never been able to resolve. You can find time deltas by going to the properties menu for the receiver and clicking on "Receiver Management > Time Delta"