3 Replies Latest reply on May 31, 2017 1:48 AM by ksudki

    DHCP event time not correct

    ksudki

      Hello,

       

      I am collecting DHCP events from 4 different servers world wide (HQ, US, BR)  and for some reasons one of them does not display the time correctly.

       

      The issue is happening with a Brazilian server which is in GMT-3 Brasilia time zone.

      The data source configuration is configured as described in the SIEM_Data_Source_Configuration_Microsoft_Windows_DHCP using MEF with time zone set to GMT-3 Brasilia time

       

      Sample log

      30,05/29/17,06:22:15,DNS Update Request,10.14.213.14,<hostname>,,,0,6,,,,,,,,,0

       

      Will produce an event with wrong last_time in the ESM 09:38:43 (which correspond to GMT-3 06:38:43) which is wrong as the last_time should correspond to the time when the event was generated.

       

      I already tried to install SIEM Collector 10 & 11 and reconfigured the data source on both ESM and collector multiple times but the issue is still there.

       

      Anybody already faced such issue in the past and has a solution ?

       

      Thank you in advance

        • 1. Re: DHCP event time not correct
          sssyyy

          You might have to play around with the time zone settings. If you are 3 hrs ahead of Brazil, then the last time is correct, i assume your GUI time zone is set at Brazil + 3 hr zone?

          • 2. Re: DHCP event time not correct
            ksudki

            Correct, however the timezone is not the problem.

             

            With my view in GMT+0, the calculation of the last_time is :

            Event generated time - timezone offset = last_time

             

            So in my case:

            Event generated time - (-3) = last_time

             

            Replacing with the values of the above sample:

            06:22:15 +3 = 09:22:15

             

            But the last_time I have for this event is 09:38:43 in the GUI

             

            Can somebody explain why the parsing of the event is wrong ? Does MEF use the receive time instead of the time of the event sometimes ?

             

            Again, this works well with similar data sources located in the US for example so I do not understand why it fails on this server.

            • 3. Re: DHCP event time not correct
              ksudki

              Switching the timezone to Buenos Aires (GMT-3) resolved my issue.

               

              I opened a service request to solve this issue