Getting Data In

Setting correct timezone for mcafee logs in dbconnect

rsanders30
Path Finder

I have been having issues modifying the timezone for Mcafee logs. Currently, my logs are indexed as UTC, and I would like to change it to EST. I am currently on dbconnect 3.1.1 and have the Splunk Add-on for Mcafee 2.2.0 installed on my indexers and search heads (Splunk version 6.5.3). I am using the Mcafee template to query the db and the logs show the correct timestamp in Eastern timezone.

I've tried the following methods, but have not had success:

-adjusting the settings in the JVM option
-adjust the connections options to UTC and US/Eastern
-creating a SQL query
-changing the settings localTimezoneConversionEnabled to true/false

Appreciate the help.

1 Solution

rsanders30
Path Finder

So, here are the steps we completed to fix the our timestamp issue.

  • We updated our DB Connect to 3.1.1.
  • In the db connection configuration settings, we set the timezone to UTC ++00:00.
  • We chose the the detected_timestamp column instead of timestamp in our inputs.
  • We didn't modify the props.conf or db_connections.conf files (left as UTC).
  • I set my user settings to my timezone.
  • No changes were made to the McAfee template query regarding time.

The events are now showing as my local time. I hope this helps.

View solution in original post

0 Karma

rsanders30
Path Finder

So, here are the steps we completed to fix the our timestamp issue.

  • We updated our DB Connect to 3.1.1.
  • In the db connection configuration settings, we set the timezone to UTC ++00:00.
  • We chose the the detected_timestamp column instead of timestamp in our inputs.
  • We didn't modify the props.conf or db_connections.conf files (left as UTC).
  • I set my user settings to my timezone.
  • No changes were made to the McAfee template query regarding time.

The events are now showing as my local time. I hope this helps.

0 Karma

gerald_contrera
Path Finder

Any updates on this issue?
I have the same issue after migrating from DBConnect v2 to v3.1.3
Using Add-on for McAfee 2.2.0
Our current workaround is to +10hrs to match our timezone, but this wont fly for Daylight savings unless we keep manually changing

Temp workaround at top of SQL query:
SELECT
dateadd (hour, 10 , [EPOEvents].[ReceivedUTC]) as [timestamp],

A permanent solution would be great. Not sure what changed from v2 to v3.1.3
I have also logged to splunk support so ill see what they come back with.

0 Karma

bangalorep
Communicator

Hello! You can try changing the timezone in props.conf in etc/system/local/

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Propsconf

0 Karma

johnebgood
Path Finder

Were you able to get this resolved? We're having the same problem and have hundreds of endpoints in different time zones.

0 Karma