topic Re: Time Conversion of Cisco FTD Logs in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Time-Conversion-of-Cisco-FTD-Logs/m-p/567547#M100797 <P>Splunk will convert the time zone for you.&nbsp; You just need to tell it what time zone the event occurs in.&nbsp; Do that by specifying <FONT face="courier new,courier">TZ = UTC</FONT> in props.conf for the appropriate sourcetype.</P><P>I'd be remiss if I missed this opportunity to point out that one should not send syslog directly to a Splunk TCP or UDP port.&nbsp; Instead, send it to a dedicated syslog server and forward it to Splunk or use Splunk Connect for Syslog.</P> Sun, 19 Sep 2021 14:25:11 GMT richgalloway 2021-09-19T14:25:11Z Time Conversion of Cisco FTD Logs https://community.splunk.com/t5/Getting-Data-In/Time-Conversion-of-Cisco-FTD-Logs/m-p/567544#M100796 <P>I have several Cisco FTD devices (managed by Cisco FMC) that are sending syslog messages to splunk. Here is the format....</P><P><SPAN>&lt;</SPAN><SPAN class="t">164</SPAN><SPAN>&gt;</SPAN><SPAN class="t">Sep</SPAN> <SPAN class="t">19</SPAN> <SPAN class="t">2021</SPAN> <SPAN class="t">13:26:27</SPAN> <SPAN class="t">ftdv-b-int</SPAN> <SPAN class="t">:</SPAN> <SPAN class="t">%FTD-4-313005:</SPAN> <SPAN class="t">No</SPAN> <SPAN class="t">matching</SPAN> <SPAN class="t">connection</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t">ICMP</SPAN> <SPAN class="t">error</SPAN> <SPAN class="t">message:</SPAN> <SPAN class="t">icmp</SPAN> <SPAN class="t">src</SPAN> <SPAN class="t">inside_Mgmt:10.0.20.238</SPAN> <SPAN class="t">dst</SPAN> <SPAN class="t">inside_Legacy_Server:192.168.0.94</SPAN><SPAN> (</SPAN><SPAN class="t">type</SPAN> <SPAN class="t">3</SPAN><SPAN>, </SPAN><SPAN class="t">code</SPAN> <SPAN class="t">3</SPAN><SPAN>) </SPAN><SPAN class="t">on</SPAN> <SPAN class="t">inside_Mgmt</SPAN> <SPAN class="t">interface.</SPAN> <SPAN class="t">Original</SPAN> <SPAN class="t">IP</SPAN> <SPAN class="t">payload:</SPAN> <SPAN class="t">udp</SPAN> <SPAN class="t">src</SPAN> <SPAN class="t">192.168.0.94/53</SPAN> <SPAN class="t">dst</SPAN> <SPAN class="t">10.0.20.238/12055.</SPAN></P><P>The time is in UTC.... is there a way to convert this time to local when I pull the records in so I can do alerting, etc. on these records?</P> Sun, 19 Sep 2021 13:38:41 GMT https://community.splunk.com/t5/Getting-Data-In/Time-Conversion-of-Cisco-FTD-Logs/m-p/567544#M100796 teco_akelly 2021-09-19T13:38:41Z Re: Time Conversion of Cisco FTD Logs https://community.splunk.com/t5/Getting-Data-In/Time-Conversion-of-Cisco-FTD-Logs/m-p/567547#M100797 <P>Splunk will convert the time zone for you.&nbsp; You just need to tell it what time zone the event occurs in.&nbsp; Do that by specifying <FONT face="courier new,courier">TZ = UTC</FONT> in props.conf for the appropriate sourcetype.</P><P>I'd be remiss if I missed this opportunity to point out that one should not send syslog directly to a Splunk TCP or UDP port.&nbsp; Instead, send it to a dedicated syslog server and forward it to Splunk or use Splunk Connect for Syslog.</P> Sun, 19 Sep 2021 14:25:11 GMT https://community.splunk.com/t5/Getting-Data-In/Time-Conversion-of-Cisco-FTD-Logs/m-p/567547#M100797 richgalloway 2021-09-19T14:25:11Z