3 Replies Latest reply on May 31, 2017 1:48 AM by ksudki

    DHCP event time not correct




      I am collecting DHCP events from 4 different servers world wide (HQ, US, BR)  and for some reasons one of them does not display the time correctly.


      The issue is happening with a Brazilian server which is in GMT-3 Brasilia time zone.

      The data source configuration is configured as described in the SIEM_Data_Source_Configuration_Microsoft_Windows_DHCP using MEF with time zone set to GMT-3 Brasilia time


      Sample log

      30,05/29/17,06:22:15,DNS Update Request,,<hostname>,,,0,6,,,,,,,,,0


      Will produce an event with wrong last_time in the ESM 09:38:43 (which correspond to GMT-3 06:38:43) which is wrong as the last_time should correspond to the time when the event was generated.


      I already tried to install SIEM Collector 10 & 11 and reconfigured the data source on both ESM and collector multiple times but the issue is still there.


      Anybody already faced such issue in the past and has a solution ?


      Thank you in advance

        • 1. Re: DHCP event time not correct

          You might have to play around with the time zone settings. If you are 3 hrs ahead of Brazil, then the last time is correct, i assume your GUI time zone is set at Brazil + 3 hr zone?

          • 2. Re: DHCP event time not correct

            Correct, however the timezone is not the problem.


            With my view in GMT+0, the calculation of the last_time is :

            Event generated time - timezone offset = last_time


            So in my case:

            Event generated time - (-3) = last_time


            Replacing with the values of the above sample:

            06:22:15 +3 = 09:22:15


            But the last_time I have for this event is 09:38:43 in the GUI


            Can somebody explain why the parsing of the event is wrong ? Does MEF use the receive time instead of the time of the event sometimes ?


            Again, this works well with similar data sources located in the US for example so I do not understand why it fails on this server.

            • 3. Re: DHCP event time not correct

              Switching the timezone to Buenos Aires (GMT-3) resolved my issue.


              I opened a service request to solve this issue