I've been adding a slew of network devices into the SIEM and I've noticed an increase in the amount of alerts from SIEM concerning times of events being out of sync. Our team did some research and found that there were a few misconfigured routers. We've been adding more devices and this issue keeps coming up. The network team would like to quickly identify which devices need to be corrected. As it stands, the alerts in the SIEM log only reflect that there was an error and how many messages were received. How can I track down which devices are the source of these alerts?
You are correct that the device log will show a status flag for those events which have a time problem. To see which data source is the cause of those, select "Show All" in the filter column and look at the log entry preceeding the status flag entry. That entry will show the datasource that needs to have the time zone adjusted.