This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Understanding event time in WinRM logs in RSA Security Analytics / NetWitness Platform

Article Number

000001264

Applies To

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Log Collector (WinRM Collection)
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7

Issue

Understanding event time in Windows logs collected via WinRM collection method in RSA Security Analytics / NetWitness Logs & Network.

Resolution

  • WinRM can send data in GMT/UTC time.
  • If the event time stamp being sent by WinRM has a "Z", as in <TimeCreated SystemTime="2012-08-10T14:56:38.000000000Z"/> (It can be also looked into from the Event Viewer -> Application/System/Security -> double-click any event-> opens a new dialog box-> go to the Details tab-> select radio button XML View and then look for the Time Created), then the events in the system are stored in the UTC time and that is what would be sent across.
The UTC time zone is sometimes denoted by the letter Z - a reference to the equivalent nautical time zone (GMT), which has been denoted by a Z since about 1950. The letter also refers to the "zone description" of zero hours, which has been used since 1920 (see time zone history). Since the NATO phonetic alphabet word for Z is "Zulu", UTC is sometimes known as Zulu time. This is especially true in aviation, where Zulu is the universal standard.[23] This ensures all pilots regardless of location are using the same 24-hour clock, thus avoiding confusion when flying between time zones.
  • WinRM does not manipulate any time either. To simplify, WinRM is an agent which reads the events stored and sends it across (without manipulation) to the Log Collector / Remote Log Collector:
How the Time is determined ?

The time depends on the way an event is stored by the system or the Event Source not WinRM.
Example

An example of an event in xml format as stored in the system/Event Source as below,
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
                <System>
                                <Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/>
                                <EventID>800</EventID>
                                <Version>0</Version>
                                <Level>4</Level>
                                <Task>43</Task>
                                <Opcode>1</Opcode>
                                <Keywords>0x4004000000000000</Keywords>
                                <TimeCreated SystemTime='2014-01-28T14:53:41.154411700Z'/>
                                <EventRecordID>34724172</EventRecordID>
                                <Correlation/>
                                <Execution ProcessID='6432' ThreadID='4992'/>
                                <Channel>Microsoft-Windows-PrintService/Operational</Channel>
                                <Computer>server1.abc.def.ghk</Computer>
                                <Security UserID='S-1-5-21-1605315502-1971273683-2142917321-8548458'/>
                </System>
                <UserData>
                                <JobDiag xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'>
                                                <JobId>19</JobId>
                                </JobDiag>
                </UserData>
                <RenderingInfo Culture='en-US'>
                <Message>Spooling job 19.</Message>
                <Level>Information</Level>
                <Task>Print job diagnostics</Task>
                <Opcode>Start</Opcode>
                <Channel>Operational</Channel>
                <Provider>Microsoft-Windows-PrintService</Provider>
                <Keywords>
                                <Keyword>WDI Diag</Keyword>
                </Keywords>
                </RenderingInfo>
</Event>
  • WinRM would pick it up and send across without changing anything. If you look closely (the line in yellow), the time has a letter "Z" at the end, meaning GMT/UTC time. And that is what is sent across.
  • Whereas in Agentless collection, the Time Generated is of interest and is an offset of no of ticks since 00:00:00 1st January 1970. This offset is converted into readable time. This readable time is the local time of the collector.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 02:01 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.