1 of 1 people found this helpful
This means that one or more of you data sources is reporting events that have a time value which is ahead of the clock of the receiver. You can open the receiver log file and check what time these events came in and then dig back to narrow it down to what device is generating these messages. I haven't found a better way to identify the devices with incorrect time settings and would appreciate hearing if anyone else has.
How do you open the log files? When I click on the red flag, i can view the log events, but when i double-click the log, nothing happens.
Click the filter and selct "Show all"
Check the events around the red flag as it will indicate which data source(s).
Once I know what devices are in question, I can run a tcpdump on that receiver for that device to look at the actual packets for that host
tcpdump -nvSni eth0 host xxx.xxx.xx.xxx -w /tmp/DumpCapture
hit <crtl> c one you want to stop the capture.
I typically then use Wire shark to examine the packet information.
Going into the device log like you showed me did not work, to tell me what device was having the issue. I found the problem device in a different way. Here is what i did:
Navigate to the Default Summary
Look at the Event Distribution Pane
Click on the events that are "In the future" and look at those specific events.
In my case i had to zoom in on the Event ditribution to find them.
If you have a Custom View that shows you Event Summary, Count, and Distribution - switch to that view.
Next, set a custom time range to start 30 minutes to 1-hour in the future, through the end of the day.
You should then see all of the events, what source they came from, and when.
There are several different scenarios where you will have problems with "Future Events"
Possible cases would be include:
If you have a centralized Wireless LAN Controller that controls wireless access for multiple time zones
If you have a centralized RADIUS/TACACS+ Server that authenticates switches, routers, wireless, VPN clients from multiple time zones.
Thanks for your update. I have been fighting a time source issues on one of my data source for what has seemed to be like forever.
Using tcpdumps and looking through hundreds of thousands events... felt like looking for a needle in the haystack. Using your method, I drilled down into the event distrubution panel for the events in the future (my case after 0900) I could isolate the events causing my grief. Big Thanks!
The issue I have is mainly with a FW and a few events are from a linux based server.
The above distribution listed above is from one data source, a Cisco ASA-5555. With your help, I was able to isolate future events to Web Sense logs showing up from this datasource. I changes my websense applicance to use NTP and resolved my future event errors.
Thanks again for insigt to a simple process that isolated these events.
I am looking through my isolated events, and it looks like they are B2B VPN connections. I am using a ASA 5505. Not sure what I would need to change. I have three other ASA that are not having this issue.