This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

log time is different

Go to solution
Anonymous
Not applicable

‎2013-12-05 12:22 AM

i have just integrated some device in my SA server and when i try to investigate their log i found that capture time is different as local time time i think that UTC time, can anyone please tell me how should i keep it at local time on all the device i tried from appliance task set device buit in clock but then too i am getting same UTC, i also tried from TZ select but then too its no change

 

i want to put log time as local time

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-04 06:48 AM

USE this to set SA time as per local time, in all appliance

 

ex: i have set Indian Local time

To change the time zone UTC to IST

ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime

 

To change the time as per local time

 

date +%T -s "10:13:13"

Sync hardware clock to system clock to make all time set

 

hwclock --systohc

View solution in original post

0 Likes
17 REPLIES 17

Go to solution
Anonymous
Not applicable

‎2013-12-05 11:41 AM

I currently have a support ticket open for this exact issue.  I will update when I get answers if none are given before then.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2013-12-05 01:32 PM

thanks, that will be great

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-12-05 03:27 PM

All times in SA Core services are UTC, never local.  For technical reasons, the "time" meta, which is present in every log session, is the time the log was parsed.  If you want the time of the log (if present), that would be captured as event.time, which should also be in UTC.

 

Local time would be a conversion for the client, not on the server, as the server does not care what time zone you are in.  Your local tz and the server tz may not match.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2013-12-06 12:16 AM

okay, but what when a customer asked a report for failed logon with exact local time

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-12-06 05:53 AM

All queries against a SA Core service must be in UTC.  The client that submits the report must either state the time should be in UTC or convert the local time to UTC before submitting the query.

 

This is exactly what Investigator 9.8 does.  It accepts local times and convert to UTC behind the scenes before submitting the query.  If the client you are using is not doing the conversion appropriately, then you are correct to submit a bug report with support.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner

‎2013-12-06 08:32 PM

anything to do with your SA Console timezone?

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2013-12-09 01:13 PM

no i have already set local time from SA server Console but there is no effect on log captured time. still its UTC and different in according  local time, and customer is not ready to accept report with this UTC time.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2013-12-19 10:01 AM

have you got any solution for log time?

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2013-12-20 09:55 AM

I have not found anything new out yet, my RSA case has a engineering ticket open.  I have noticed that it can cause a major issue in report though.  Two nights ago around 10 we had a crysis style event to restart our apache servers, these events happened but we are in an eastern time zone.  The information showed up for the incorrect day because the report added 5 hours to it. 

 

@Scott_NextGen

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.