2 Replies Latest reply on May 12, 2017 10:53 PM by jfpamesa

    Unable to Ingest Current Events due to Future Events

    jfpamesa

      Good Day,

       

      First of all here's my situation:

      • At first, I wasn't aware that SIEM components should be set to GMT, all my devices, users, and including system time of Combo Box were set to match our timezone (GMT+8)
      • Now, I'm already aware of the McAfee SIEM timezone settings and changed the timezone settings to the following: Data Sources->GMT+8; Users->GMT+8; ESM->GMT
      • As per checking using tcpdump command, data sources are sending events/logs to the Combo Box, however ESM wasn't able to ingest those logs/events both automatically and manually.
      • I think this is because there were ingested/downloaded logs/events dated on the future (May 9, 2017, Time of Posting/Issue: May 8, 2017) based from the Last Downloaded Event Record.

               

      • If I tried to change the date to an earlier date, the ESM can ingest/download events after doing that, however the Last Downloaded Event Record date keeps returning to the date in the screenshot.

       

      My question is, How do I fix this issue? Is there a way to set the Last Downloaded Event Record date to an earlier date permanently? I already tried deleting future events but, it didn't help.

       

      Looking forward for response and support on this one.

       

      Thank You!

        • 1. Re: Unable to Ingest Current Events due to Future Events
          abanaru

          You should have a Time Delta error in ESM.

          Access "Receiver Properties | Receiver / ELM Management | Time Delta" and check which Data Source is with issues.

           

          The idea is that:

          - System Time - it should be set to GMT (so when you analyze the logs on the console the time will be in GMT) - the other devices (receivers,elms,etc) sync their time with the ESM, so you don't set the time on those devices, the ESM does

          - User Time - is just to make sure that what you see in the ESM dashboard is in sync with the time on your wrist watch ; this helps you for example when filtering events, not to think about what the time in GMT is;

          - Data Source Time - this should be set to the exact value of the GMT you have on your Data Source (eg: you have a cisco router set to GMT+3, you should configure the data source in ESM for GMT+3 as well)

          2 of 2 people found this helpful
          • 2. Re: Unable to Ingest Current Events due to Future Events
            jfpamesa

            Thank you for your response abanaru.

             

            I was able to fix this, found out that the issue with my time is not related to my settings but to the Hypervisor I'm using. The Hypervisor's time is set to one day ahead of the current. McAfee SIEM syncs to the H/W clock during boot-up, hence, ESM time is dated a date ahead and ESM events generated are dated to the future.

             

            I corrected the Hypervisor's time and re-deploy the OVF template of a McAfee Combo Box. After that, I noticed that the ESM time is already set to GMT. I just set the Users Time and Data Sources timezone to GMT+8. No other things were performed.

             

            Thanks!

            Fritz