Getting Data In

How to configure time zone settings for firewall data coming from a different timezone?

Motivator

Hi All, Currently we got a request to adjust the time zone based on the Plant location from where the firewall logs are being sent to the splunk Heavy Forwarder instances and then get indexed in the individual indexer instances. Likewise in our environment HF instances act as the syslog servers.

Exact requirement:
Want to adjust the time zone based on the Plant location. Currently we could see all the data's are indexed with EDT time zone. There 13 different plant location from where the firewall logs are sent and mostly they all fall under these time Zone EST and CST, except for one plant located in Malaysia GMT -7.

Below configuration details are set in customized app called Test-IA-guard and Test-TA-guard and both this app are placed in HF instances.

Test-IA-guard are configured with inputs.conf stanza.

[monitor:///opt/syslogs/guard/.../guard.log*]
index=firewall
sourcetype=guard:network:firewall
host_segment = 4

Note : Props.conf and transforms.conf are configured based on setting per-event Host name.
We have more than 200 nodes configured base on per-event Host name.

Test-TA-mguard configured with props & transforms.

Props.conf details :
[host::10.X.X.X]
TRANSFORMS-guardrename = guardrename_Host1

Transforms.conf details:
[guardrenameHost1]

REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::guard-Line1

And we know that we can configure the timezone in props.conf using the TZ stanza either with sourcetype, host and source. But not sure how to configure time zone for 13 different location using same props.conf stanza. Kindly guide me how to configure the timezone based on different location.

thanks in advance.

0 Karma

SplunkTrust
SplunkTrust

Give this a try

Test-TA-mguard configured with props & transforms. (assuming there isa props/transform entry for each host/node)

Props.conf details :

[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host1
#Host in EST
TZ = EST

[host::10.X.X.X]
TRANSFORMS-guard_rename = guard_rename_Host2, set_tz_myt
#Host in Malaysia
TZ = MYT
0 Karma

Motivator

Hi Somesoni2, thanks for your effort, as I had commented earlier, that we have Test-TA-mguard configured with props & transforms and all the plant data from different locations are filtered based on setting per-event Host name.

Example: Plant from Malaysia

Props.conf
[host::10.X.X.X]
TRANSFORMS-guardrename = guardrename_Host1

Next set of host from EST location configured in same props.conf file, filtered by their host name

[host::10.X.X.X]
TRANSFORMS-guardrename = guardrename_Host4
TZ = EST

Lilke wise we have 13 different plant locations host are mentioned in the same props.conf files. And we have almost 200 + host from these 13 location sending the data.

Question :

How will the splunk understands that first set of three hosts are from Malaysia and second set of hosts are from EST location as all the hosts details are mentioned continuously in same props files. Though all the hosts have different host name/IP address.

thanks in advance.

0 Karma

Motivator

Hi Somesoni2, Good Morning, As I had mentioned in the above comment, How will the splunk understands that first set of three hosts are from Malaysia, second set of hosts are from EST and third set of hosts are from CST location as all the hosts details are mentioned continuously in same props files. Though all the hosts have different host name/IP address.

OR Do we need to mention the TZ stanza in each and every host name individually for 200 + host names mentioned in props.conf as shown below.

Example: Plant from Malaysia ( First 3 different host )

Props.conf

Host in Malaysia

[host::10.X.X.X]
TRANSFORMS-guardrename = guardrename_Host1
TZ = GMT -7

#Host in EST
[host::10.X.X.X]
TRANSFORMS-guardrename = guardrename_Host4
TZ = EST

Host in CST

[host::10.X.X.X]
TRANSFORMS-guardrename = guardrename_Host7
TZ = CST

Another important doubt to be clarified, that all our splunk instance are at EDT time zone, so should we need to adjust anything for day light saving in the above stanza ?

Kindly guide me on this.

0 Karma

SplunkTrust
SplunkTrust

YOu would need to specify the TZ attribute in each of the host stanza.

For automatically handling DST, specify the TZ according to the table listed in this page.

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List

0 Karma

SplunkTrust
SplunkTrust

Is the plant location logged somewhere in the raw data OR file path? OR are their specific host name/prefix for each plant?

0 Karma

Motivator

Hi Somesoni2 thanks for your quick response on this, hey all plant are separated with specific host name and IP address, we use the below query to filter each plant based on the host.

Example:

index=firewall sourcetype=guard:network:firewall host="elspc0*"

11/3/17
1:04:28.000 PM

Nov 3 13:04:28 10.15.13.240 2017-11-0317:04:28.02540 <13>Nov 3 12:04:28 memlog: 1947 root 2976 S /Packages/ssh0/sbin/sshd -D -f /etc/sshd/sshd_config
host = elspc001 source = /opt/syslogs/guard/10.x.x.x/guard.log sourcetype = guard:network:firewall

likewise for each plant contains different set of host name sending the firewall data to HF instances.

As I had stated earlier in my comment, that Props.conf and transforms.conf are configured based on setting per-event Host name concept.

Kindly guide me how to adjust the time zone based on the plant location.

thanks in advance.

0 Karma