2 of 2 people found this helpful
You should have a Time Delta error in ESM.
Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.
The idea is that:
- System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does
- User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;
- Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)
Thank you for your response abanaru.
I was able to fix this, found out that the issue with my time is not related to my settings but to the Hypervisor I'm using. The Hypervisor's time is set to one day ahead of the current. McAfee SIEM syncs to the H/W clock during boot-up, hence, ESM time is dated a date ahead and ESM events generated are dated to the future.
I corrected the Hypervisor's time and re-deploy the OVF template of a McAfee Combo Box. After that, I noticed that the ESM time is already set to GMT. I just set the Users Time and Data Sources timezone to GMT+8. No other things were performed.