cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to Ingest Current Events due to Future Events

Jump to solution

Good Day,

First of all here's my situation:

  • At first, I wasn't aware that SIEM components should be set to GMT, all my devices, users, and including system time of Combo Box were set to match our timezone (GMT+8)
  • Now, I'm already aware of the McAfee SIEM timezone settings and changed the timezone settings to the following: Data Sources->GMT+8; Users->GMT+8; ESM->GMT
  • As per checking using tcpdump command, data sources are sending events/logs to the Combo Box, however ESM wasn't able to ingest those logs/events both automatically and manually.
  • I think this is because there were ingested/downloaded logs/events dated on the future (May 9, 2017, Time of Posting/Issue: May 8, 2017) based from the Last Downloaded Event Record.

         

  • If I tried to change the date to an earlier date, the ESM can ingest/download events after doing that, however the Last Downloaded Event Record date keeps returning to the date in the screenshot.

My question is, How do I fix this issue? Is there a way to set the Last Downloaded Event Record date to an earlier date permanently? I already tried deleting future events but, it didn't help.

Looking forward for response and support on this one.

Thank You!

1 Solution

Accepted Solutions
abanaru
Level 11
Report Inappropriate Content
Message 2 of 3

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

You should have a Time Delta error in ESM.

Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.

The idea is that:

- System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does

- User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;

- Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)

2 Replies
abanaru
Level 11
Report Inappropriate Content
Message 2 of 3

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

You should have a Time Delta error in ESM.

Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.

The idea is that:

- System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does

- User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;

- Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)

Highlighted

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

Thank you for your response abanaru.

I was able to fix this, found out that the issue with my time is not related to my settings but to the Hypervisor I'm using. The Hypervisor's time is set to one day ahead of the current. McAfee SIEM syncs to the H/W clock during boot-up, hence, ESM time is dated a date ahead and ESM events generated are dated to the future.

I corrected the Hypervisor's time and re-deploy the OVF template of a McAfee Combo Box. After that, I noticed that the ESM time is already set to GMT. I just set the Users Time and Data Sources timezone to GMT+8. No other things were performed.

Thanks!

Fritz

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community