Getting Data In
Highlighted

Setting correct timezone for mcafee logs in dbconnect

Path Finder

I have been having issues modifying the timezone for Mcafee logs. Currently, my logs are indexed as UTC, and I would like to change it to EST. I am currently on dbconnect 3.1.1 and have the Splunk Add-on for Mcafee 2.2.0 installed on my indexers and search heads (Splunk version 6.5.3). I am using the Mcafee template to query the db and the logs show the correct timestamp in Eastern timezone.

I've tried the following methods, but have not had success:

-adjusting the settings in the JVM option
-adjust the connections options to UTC and US/Eastern
-creating a SQL query
-changing the settings localTimezoneConversionEnabled to true/false

Appreciate the help.

Highlighted

Re: Setting correct timezone for mcafee logs in dbconnect

Path Finder

Were you able to get this resolved? We're having the same problem and have hundreds of endpoints in different time zones.

0 Karma
Highlighted

Re: Setting correct timezone for mcafee logs in dbconnect

Communicator

Hello! You can try changing the timezone in props.conf in etc/system/local/

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Propsconf

0 Karma
Highlighted

Re: Setting correct timezone for mcafee logs in dbconnect

Path Finder

Any updates on this issue?
I have the same issue after migrating from DBConnect v2 to v3.1.3
Using Add-on for McAfee 2.2.0
Our current workaround is to +10hrs to match our timezone, but this wont fly for Daylight savings unless we keep manually changing

Temp workaround at top of SQL query:
SELECT
dateadd (hour, 10 , [EPOEvents].[ReceivedUTC]) as [timestamp],

A permanent solution would be great. Not sure what changed from v2 to v3.1.3
I have also logged to splunk support so ill see what they come back with.

0 Karma
Highlighted

Re: Setting correct timezone for mcafee logs in dbconnect

Path Finder

So, here are the steps we completed to fix the our timestamp issue.

  • We updated our DB Connect to 3.1.1.
  • In the db connection configuration settings, we set the timezone to UTC ++00:00.
  • We chose the the detected_timestamp column instead of timestamp in our inputs.
  • We didn't modify the props.conf or db_connections.conf files (left as UTC).
  • I set my user settings to my timezone.
  • No changes were made to the McAfee template query regarding time.

The events are now showing as my local time. I hope this helps.

View solution in original post

0 Karma