cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Unable to Ingest Current Events due to Future Events

Jump to solution

Good Day,

First of all here's my situation:

  • At first, I wasn't aware that SIEM components should be set to GMT, all my devices, users, and including system time of Combo Box were set to match our timezone (GMT+8)
  • Now, I'm already aware of the McAfee SIEM timezone settings and changed the timezone settings to the following: Data Sources->GMT+8; Users->GMT+8; ESM->GMT
  • As per checking using tcpdump command, data sources are sending events/logs to the Combo Box, however ESM wasn't able to ingest those logs/events both automatically and manually.
  • I think this is because there were ingested/downloaded logs/events dated on the future (May 9, 2017, Time of Posting/Issue: May 8, 2017) based from the Last Downloaded Event Record.

         

  • If I tried to change the date to an earlier date, the ESM can ingest/download events after doing that, however the Last Downloaded Event Record date keeps returning to the date in the screenshot.

My question is, How do I fix this issue? Is there a way to set the Last Downloaded Event Record date to an earlier date permanently? I already tried deleting future events but, it didn't help.

Looking forward for response and support on this one.

Thank You!

1 Solution

Accepted Solutions
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 3

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

You should have a Time Delta error in ESM.

Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.

The idea is that:

- System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does

- User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;

- Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)

View solution in original post

2 Replies
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 3

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

You should have a Time Delta error in ESM.

Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.

The idea is that:

- System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does

- User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;

- Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)

View solution in original post

Highlighted

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

Thank you for your response abanaru.

I was able to fix this, found out that the issue with my time is not related to my settings but to the Hypervisor I'm using. The Hypervisor's time is set to one day ahead of the current. McAfee SIEM syncs to the H/W clock during boot-up, hence, ESM time is dated a date ahead and ESM events generated are dated to the future.

I corrected the Hypervisor's time and re-deploy the OVF template of a McAfee Combo Box. After that, I noticed that the ESM time is already set to GMT. I just set the Users Time and Data Sources timezone to GMT+8. No other things were performed.

Thanks!

Fritz

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community