Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How can we adjust our firewall's timezone?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All, Currently we are facing an issue with time stamp for an firewall logs. We could see the logs are coming into splunk with a time difference of 3 hours. We have 5 heavy forwarder instance as intermediate forwarder and this firewall log is read from this 5 HF instance which is configured as syslogs server. The splunk reads the logs from these 5 HF instance and then ingest the data into indexer.
inputs.conf detail :
[monitor:///opt/syslogs/mguard/.../mguard.log*]
index=fw
sourcetype=mguard:network:log
host_segment = 4
10/13/17
10:35:57.000 AM
Oct 13 10:35:57 test01.xxx.com 1,2017/10/13 10:35:57,007257000034869,TRAFFIC,start,0,2017/10/13 10:35:57,10.x.x.x,168.x.x.x,0.0.0.0,0.0.0.0,trust-xxxx,,,ssl,vsys1,trust,xxxx,ethernet1/2,ethernet1/1,Splunk,2017/10/13 10:35:57,761997,1,51475,8089,0,0,0x104000,tcp,allow,416,350,66,4,2017/10/13 10:35:56,0,any,0,70021120,0x0,x.0.0.0-x.255.255.255,United States,0,3,1,n/a,0,0,0,0,,test01,from-policy,,,0,,0,,N/A
eventtype = nix-all-logs eventtype = pan network host = test01.xxx.com source = /opt/syslogs/mguard/test01.xxx.com/mguard.log sourcetype = mguard:network:log tag = network timeendpos = 16 timestartpos = 0
Current EDT time is 1:40 PM and logs are coming into splunk with a timestamp of
10:35:57.000 AM, so need to adjust the time zone by 3 hours to match the current EDT time.
Kindly guide me how to adjust this time zone by 3 hours in Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your firewall logs don't appear to specify a timezone offset, so Splunk will assume the timestamps are in UTC.
1.) Are you sure your firewall has the correct time?
2.) Does your firewall know what TZ its in?
3.) Can you amend your firewalls logs to include a TZ?
4.) Maybe you can "fix" this on the syslog server? - In my experience its always better to try and fix this as close to the source as possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sarwshai - its not about where (in the world) your forwarders are. Its about where your firewall is. The reason for this, is that we should assume that the time on the firewall is right... That is to say, a fw in the UK will use UK time, and one in Sydney is in AEST. That's why you need to set your sourcetype to use the TZ of the source data.
So. the first question is therefore "where is your firewall located?"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nickhillscpl, thanks a lot, issue seems to be fixed, now we could see the index time is matching the current time of EDT. Could you please tell me how did you troubleshoot and gave a try of PST8PDT, where I failed to do so.
Much needed help from you thanks my friend 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nickhillscpl, could please guide me on this .
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where is the firewall? - in the world?
What the End of Support for Splunk Add-on Builder Means for You
Solve, Learn, Repeat: New Puzzle Channel Now Live
Building Reliable Asset and Identity Frameworks in Splunk ES
