NetWitness Community

Anonymous · ‎2017-04-13

Hello,

I have a question regarding LogCollector and RemoteLogCollector.

Is there a posibility that the time, the RLC collects an event is send to the LogCollector, because if the connection between LC und RLC is interrupted, then all collected events are displayed in SA with the timestamp, when the LC recieved the data. This doesn't help when you have to investigate something.

br Tom

JohnKisner · ‎2017-04-14

Ah what you are seeing isn't the time based on the LC receiving the log but the time the log decoder service parses the log itself. We must consider that ingestion time instead of when it is pulled from the event source. I can see why this might be as the logs are not interrogated in any way until the log decoder starts to parse them. Only then is meta starting to be generated on the log. I doubt there is an easy way, based on the current architecture, to time stamp them as you are requesting. Any time stamp within the log is still in tact and I believe is placed into event.time. Of course this doesn't help when doing a Navigate Investigation since you don't see event.time until you get into the Event View area. If you feel this is a feature that the produce needs please open a Feature Request with Support and we can provide the request to our Continued Engineering team to see if it can be placed into the product.

Hopefully it would be easier than I am thinking as I can understand the issue you are pointing out here.

View solution in original post

JohnKisner · ‎2017-04-13

Are you currently seeing this behavior where if a LC and RLC get disconnected, when it reconnects the event time is all the same? We tag the log at time of ingestion, I believe this it the time it is pulled from the event source not matter if it is a LC or RLC.

Anonymous · ‎2017-04-14

Hello John,

I don't think that this is correct. I would expact/like, that the time, when the events are collected at the RLC, is the same time when doing a investigat, but this is the time, when the events are transfered from RLC to LC. Here is the chart, where you can see, that the chart shows the time, when the connection has been established again (i stopped the LC between 11:15 and 13:00):

Bug or Feature?

br Tom

JohnKisner · ‎2017-04-14

Ah what you are seeing isn't the time based on the LC receiving the log but the time the log decoder service parses the log itself. We must consider that ingestion time instead of when it is pulled from the event source. I can see why this might be as the logs are not interrogated in any way until the log decoder starts to parse them. Only then is meta starting to be generated on the log. I doubt there is an easy way, based on the current architecture, to time stamp them as you are requesting. Any time stamp within the log is still in tact and I believe is placed into event.time. Of course this doesn't help when doing a Navigate Investigation since you don't see event.time until you get into the Event View area. If you feel this is a feature that the produce needs please open a Feature Request with Support and we can provide the request to our Continued Engineering team to see if it can be placed into the product.

Hopefully it would be easier than I am thinking as I can understand the issue you are pointing out here.

NetWitness Community

Time-Issue LogCollector - Remote Log Collector