cancel
Showing results for 
Search instead for 
Did you mean: 

Websense Timestamp Issue

Hi Team,

I have integrated websense proxy to siem, and the issue I am facing with timestamp. In packet it is showing real time, but in console time is -5.30 hrs. 

Capture.JPG

Kindly suggest me on the same.

Regards,

Santosh B Siddanaikar

Tags (3)
11 Replies
Highlighted
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 12

Re: Websense Timestamp Issue

Hi ,

in the upper part of the screenshot you see the time that the event came in the SIEM

in the lower oaer (the row packet) you see the original time, the time that the device wrote the packet.

if the time in the packet is not correct and dosn't make sensse... check with the Websense Admin

if the local device time is correct.

if the time on the top (the SIEM timestamp) dosn't make sensse, check the NTP settings on the ESM.

Best regards

Re: Websense Timestamp Issue

Hi David,

The local device time is correct and NTP is also synced with ESM. Both are correct.
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 12

Re: Websense Timestamp Issue

Hi

all of the componenets are set to GMT ?

Re: Websense Timestamp Issue

Hi

Yes all of the components are set to GST +5.30
McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 6 of 12

Re: Websense Timestamp Issue

Are there any other timestamps in the packet, such as rt=.?

Copy the packet, open open policy and go to the ASP for the event in question and make sure the timestamp field that is being parsed is the one you are expecting to be parsed.  

Re: Websense Timestamp Issue

Hi David,

Yes there is rt=1543209470, in the packet.
Kindly suggest what next has to be done.

Regards,
Santosh B Siddanaikar
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 8 of 12

Re: Websense Timestamp Issue

 

copy a packet in order to test it agenst the REGEX rule un the policy

then look what is matching the Time field- the reall time? or a different time...

if it's getting a wrong time you will need to play around and fix the regex syntex in order to match the desired time.

Best regards.

 

Capture.PNG

McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 9 of 12

Re: Websense Timestamp Issue

In addition to what David1111 said, check the FIeld Assignment tab too. This will show you which date/time field is being used in First TIme and Last TIme.  You should also check the mapping tab to make sure the date/time is correctly formatted.

You cah check the date/time of rt by going to this site and pasting it in:  https://www.epochconverter.com/

More than likely, it is GMT and the data source will need to be changed to GMT.  

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 10 of 12

Re: Websense Timestamp Issue

Hi Santosh.

I'm intrested if you found a solution?!
if yes.. what was the Problem \ Solution ?!

Thank you

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.