1 2 Previous Next 11 Replies Latest reply on Feb 18, 2014 10:01 AM by docdriza

    Interesting Log events

    docdriza

      One of my recievers keeps showing this red flag log.

       

       

      2014-02-07 16_10_18-https___ssdsrv126_Application.html.jpg

       

      What am I supposed to troubleshoot in order to ensure this doesnt happen again?

        • 1. Re: Interesting Log events
          saucysiem

          This means that one or more of you data sources is reporting events that have a time value which is ahead of the clock of the receiver.  You can open the receiver log file and check what time these events came in and then dig back to narrow it down to what device is generating these messages. I haven't found a better way to identify the devices with incorrect time settings and would appreciate hearing if anyone else has.

          1 of 1 people found this helpful
          • 2. Re: Interesting Log events
            docdriza

            How do you open the log files? When I click on the red flag, i can view the log events, but when i double-click the log, nothing happens.

            • 3. Re: Interesting Log events
              hcmay

              Click the filter and selct "Show all"

              Screen Shot 2014-02-10 at 12.03.12 PM.png

              Check the events around the red flag as it will indicate which data source(s). 

               

              Screen Shot 2014-02-10 at 12.06.05 PM.png

               

              Once I know what devices are in question, I can run a tcpdump on that receiver for that device to look at the actual packets for that host

               

              tcpdump -nvSni eth0 host xxx.xxx.xx.xxx -w /tmp/DumpCapture

               

              hit <crtl> c one you want to stop the capture.

               

              I typically then use Wire shark to examine the packet information.

               

              Message was edited by: hcmay on 2/10/14 12:17:06 PM CST
              • 4. Re: Interesting Log events
                docdriza

                Going into the device log like you showed me did not work, to tell me what device was having the issue. I found the problem device in a different way. Here is what i did:

                 

                Navigate to the Default Summary

                Look at the Event Distribution Pane

                Click on the events that are "In the future" and look at those specific events.

                 

                In my case i had to zoom in on the Event ditribution to find them.

                • 5. Re: Interesting Log events
                  rth67

                  If you have a Custom View that shows you Event Summary, Count, and Distribution - switch to that view.

                  Next, set a custom time range to start 30 minutes to 1-hour in the future, through the end of the day.

                  You should then see all of the events, what source they came from, and when.

                  There are several different scenarios where you will have problems with "Future Events"

                  Possible cases would be include:

                       If you have a centralized Wireless LAN Controller that controls wireless access for multiple time zones

                       If you have a centralized RADIUS/TACACS+ Server that authenticates switches, routers, wireless, VPN clients from multiple time zones.

                  • 6. Re: Interesting Log events
                    hcmay

                    Thanks for your update.  I have been fighting a time source issues on one of my data source for what has seemed to be like forever.   

                     

                    Using tcpdumps and looking through hundreds of thousands events... felt like looking for a needle in the haystack.  Using your method, I drilled down into the event distrubution panel for the events in the future (my case after 0900) I could isolate the events causing my grief.  Big Thanks!

                     

                    Screen Shot 2014-02-12 at 9.46.31 AM.png

                    • 7. Re: Interesting Log events
                      docdriza

                      The issue I have is mainly with a FW and a few events are from a  linux based server.

                      • 8. Re: Interesting Log events
                        hcmay

                        The above distribution listed above is from one data source,  a Cisco ASA-5555.  With your help, I was able to isolate  future events to Web Sense logs showing up from this datasource.  I changes my websense applicance to use NTP and resolved my future event errors.

                         

                        Thanks again for insigt to a simple process that isolated these events.

                        • 9. Re: Interesting Log events
                          docdriza

                          I am looking through my isolated events, and it looks like they are B2B VPN connections. I am using a ASA 5505. Not sure what I would need to change. I have three other ASA that are not having this issue.

                          1 2 Previous Next