I have been having issues modifying the timezone for Mcafee logs. Currently, my logs are indexed as UTC, and I would like to change it to EST. I am currently on dbconnect 3.1.1 and have the Splunk Add-on for Mcafee 2.2.0 installed on my indexers and search heads (Splunk version 6.5.3). I am using the Mcafee template to query the db and the logs show the correct timestamp in Eastern timezone.
I've tried the following methods, but have not had success:
-adjusting the settings in the JVM option
-adjust the connections options to UTC and US/Eastern
-creating a SQL query
-changing the settings localTimezoneConversionEnabled to true/false
Appreciate the help.
Were you able to get this resolved? We're having the same problem and have hundreds of endpoints in different time zones.
Any updates on this issue?
I have the same issue after migrating from DBConnect v2 to v3.1.3
Using Add-on for McAfee 2.2.0
Our current workaround is to +10hrs to match our timezone, but this wont fly for Daylight savings unless we keep manually changing
Temp workaround at top of SQL query:
dateadd (hour, 10 , [EPOEvents].[ReceivedUTC]) as [timestamp],
A permanent solution would be great. Not sure what changed from v2 to v3.1.3
I have also logged to splunk support so ill see what they come back with.
So, here are the steps we completed to fix the our timestamp issue.
The events are now showing as my local time. I hope this helps.