1 2 Previous Next 12 Replies Latest reply on May 23, 2016 3:37 AM by asadz

    Abnormal timestamp showing on McAfee ESM

    asadz

      Macfee ESM, is showing 4 different times and as a result I'm unable to retrieveab1.PNG results on the "default summary" dashboard. Please see the attach.

        • 1. Re: Abnormal timestamp showing on Macafe ESM
          acommons

          Check the timestamp in the raw log entry. Data sources can sometimes apply their own time zone adjustments to the log entries which can throw off the local time shown in the ESM.

          • 2. Re: Abnormal timestamp showing on Macafe ESM
            asadz

            I have tried to generate real time traffic and put streaming mode on it won't match any thing its bringing me logs from 1 day old?

            • 3. Re: Abnormal timestamp showing on Macafe ESM
              acommons

              Using the Default Summary select your device in the ESM and select time is 'All' in the time window drop down. This should show any events received from the device regardless of where they are in time. If you get events displayed then drill down to the events using Event Drilldown, look at the Packet (use the Packet tab) and see if there is a timestamp in the raw event. If there is a timestamp then apply your local offset to it and see if it gives you times you are seeing. If it does then try and adjust the source time zone or fake your time zone in the data source definition.

              • 4. Re: Abnormal timestamp showing on Macafe ESM
                asadz

                Thanks, here is the event-distribution using "all" time settings.

                 

                Pls see the attach, i think there is an offset of -2 hours should I change the system settings now?

                 

                what you make.PNG

                • 5. Re: Abnormal timestamp showing on Macafe ESM
                  asadz

                  Another strange thing is that when i change

                   

                  under system properties >system information > system clock

                   

                  The settings are reverted is it because ntp service is also running on sys level?

                  • 6. Re: Abnormal timestamp showing on Macafe ESM
                    acommons

                    Do not change the system time unless it is wrong, it should be set to GMT and your localization settings should give you the correct local time.

                     

                    You have two places where you can mess with the event times:

                     

                    (1) On the source device change it so that the timestamp (if it is present and being parsed in the Reciever) is GMT, or

                    (2) Fake the time offset in the data source definition so that the time is adjusted correctly for your time zone.

                     

                    If (1) has side effects - i.e. other systems are also looking at the logs - then (2) will get things aligned from a display point of view BUT I would not be surprised if there are side effects in other areas which might work on the unadjusted times.

                    • 7. Re: Abnormal timestamp showing on Macafe ESM
                      asadz

                      Please see attach.

                       

                      time settings firewall.PNG

                       

                      This trouble device source called IBT along with entire machine has been restarted it looks active but when i use 'default dashboard' it shows me NOTHING. The time zone is correct. But when I do the streaming view it will show me events coming from 21st i can see in raw payloads too. Is this some kind of backlog?

                      • 8. Re: Abnormal timestamp showing on McAfee ESM
                        acommons

                        The event time - at least for the events you showed in Post 1 - is parsed out of the raw event data. You can se this in the ASP parser rule for "PANOS TRAFFIC Session allowed by policy". This is the value that is almost certainly causing your problem and probably needs to be fixed in the logging configuration of your firewall rather than in the ESM.

                        • 9. Re: Abnormal timestamp showing on McAfee ESM
                          asadz

                          just see, this the raw payload timestamp and the lasttime column in streaming section? which need to be corrected.

                          1 2 Previous Next