cancel
Showing results for 
Search instead for 
Did you mean: 
jfpamesa
Level 7

Unable to Ingest Current Events due to Future Events

Jump to solution

Good Day,

First of all here's my situation:

  • At first, I wasn't aware that SIEM components should be set to GMT, all my devices, users, and including system time of Combo Box were set to match our timezone (GMT+8)
  • Now, I'm already aware of the McAfee SIEM timezone settings and changed the timezone settings to the following: Data Sources->GMT+8; Users->GMT+8; ESM->GMT
  • As per checking using tcpdump command, data sources are sending events/logs to the Combo Box, however ESM wasn't able to ingest those logs/events both automatically and manually.
  • I think this is because there were ingested/downloaded logs/events dated on the future (May 9, 2017, Time of Posting/Issue: May 8, 2017) based from the Last Downloaded Event Record.

         

  • If I tried to change the date to an earlier date, the ESM can ingest/download events after doing that, however the Last Downloaded Event Record date keeps returning to the date in the screenshot.

My question is, How do I fix this issue? Is there a way to set the Last Downloaded Event Record date to an earlier date permanently? I already tried deleting future events but, it didn't help.

Looking forward for response and support on this one.

Thank You!

0 Kudos
1 Solution

Accepted Solutions
abanaru
Level 11

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

You should have a Time Delta error in ESM.

Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.

The idea is that:

- System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does

- User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;

- Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)

2 Replies
abanaru
Level 11

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

You should have a Time Delta error in ESM.

Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.

The idea is that:

- System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does

- User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;

- Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)

jfpamesa
Level 7

Re: Unable to Ingest Current Events due to Future Events

Jump to solution

Thank you for your response abanaru.

I was able to fix this, found out that the issue with my time is not related to my settings but to the Hypervisor I'm using. The Hypervisor's time is set to one day ahead of the current. McAfee SIEM syncs to the H/W clock during boot-up, hence, ESM time is dated a date ahead and ESM events generated are dated to the future.

I corrected the Hypervisor's time and re-deploy the OVF template of a McAfee Combo Box. After that, I noticed that the ESM time is already set to GMT. I just set the Users Time and Data Sources timezone to GMT+8. No other things were performed.

Thanks!

Fritz

0 Kudos