Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why did Timezone adjustment (TZ) failed for a single app?- IIS logs (UTC)

corti77
Communicator
‎04-01-2022 06:07 AM

Hi,

Trying to correlate failed logon attempts (event 4776) with the IIS OWA logs, I realized that the OWA logs are in UTC by default and I am in CEST time (Madrid).

According to the official documentation 

 

To configure time zone settings, edit the props.conf file in $FORWARDER_HOME/etc/system/local/ or in your own custom application directory in $FORWARDER_HOME/etc/apps/.

 

https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Applytimezoneoffsetstotimestamps

I deployed several apps in the exchange server but onle one app is reporting wrongly , called TA-Windows-Exchange-IIS. So I only need to change the timezone in that specific app if I understood correctly.

And this is what I did, creating the file props.conf in the local path of the app.

C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Windows-Exchange-IIS\local

 

[monitor://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

[monitor://E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews]
TZ = UTC

 

 

 I restarted the splunkforwarder service just in case. The result is that the time is still wrongly taken from those exchange events, in UTC.

Any idea on what I am doing wrong?

thanks a lot.

Labels (3)
Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-01-2022 11:06 PM

You need to set that parameter in props.conf and not in the inputs.conf. 

[monitor://....] -> that seems like inputs.conf stanza.

 

You can use props.conf something like this:

[source::C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

[source::E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews...]
TZ = UTC

 

Please consider accepting the answer if it resolves your issue.

Reply

corti77
Communicator
‎04-05-2022 03:30 AM

Sorry but I just realized that it worked only in one of the logs (EWS) where the datetime is encoded in a single string, something like the one below

 

2022-04-01T14:00:00.868Z

 

in the second log (IIS logs), the dateime is encoded in two separated fields and the TZ does not work 😞

 

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2022-04-05 00:00:13
#Fields: date time s-ip cs-method cs-uri-stem .........
2022-04-04 23:59:43 192.168.5.119 POST /EWS/Exchange.asmx ......

 

 

any idea on how to solve this issue?

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 03:54 AM

You need to add a few more parameters for timestamp extraction.

I don't which logs are from which source but make sure you have the following attribute added for all the source/sourcetypes for timestamp extraction.

TIME_PREFIX = <regular expression for text that comes before your timestamp in event>
MAX_TIMESTAMP_LOOKAHEAD = <generally specify how many character long>
TIME_FORMAT = <strptime-style format>

(This configuration does not work on Universal forwarder, so need to put on Indexers or HF, whichever is first in the data pipeline. If you are confused put common configuration everywhere.)

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

 

Please show me your sample single event from each source and what configuration you have added in props.conf.

 

0 Karma
Reply

corti77
Communicator
‎04-05-2022 04:11 AM

Thanks a lot for the reply.

below an example of a log of our IIS 10.0, sourcetype MSWindows:2012:IIS

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2022-04-05 00:00:13
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken OriginalClientIP

2022-04-04 23:59:43 192.168.5.119 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=311a30a0-e1bc-4824-9bf8-78a84e51e66f; 443 - 192.168.1.10 OC/16.0.5266.1000+(Skype+for+Business) - 401 1 2148074254 6 192.168.120.019

below the configuration in the local props.conf in the universal forwarder. This conversion does not work.

[source:://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

 

the EWS event , sourcetype MSWindows:2013EWS:IIS

#Software: Microsoft Exchange Server
#Version: 15.01.2375.024
#Log-type: EWS Logs
#Date: 2022-04-01T14:00:00.868Z
#Fields: DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,Ring,ClientRequestId,AuthenticationType,IsAuthenticated,AuthenticatedUser,Organization,UserAgent,VersionInfo,ClientIpAddress,ServerHostName,FrontEndServer,SoapAction,HttpStatus,RequestSize,ResponseSize,ErrorCode,ImpersonatedUser,ProxyAsUser,ActAsUser,Cookie,CorrelationGuid,PrimaryOrProxyServer,TaskType,RemoteBackendCount,LocalMailboxCount,RemoteMailboxCount,LocalIdCount,RemoteIdCount,BeginBudgetConnections,EndBudgetConnections,BeginBudgetHangingConnections,EndBudgetHangingConnections,BeginBudgetAD,EndBudgetAD,BeginBudgetCAS,EndBudgetCAS,BeginBudgetRPC,EndBudgetRPC,BeginBudgetFindCount,EndBudgetFindCount,BeginBudgetSubscriptions,EndBudgetSubscriptions,MDBResource,MDBHealth,MDBHistoricalLoad,ThrottlingPolicy,ThrottlingDelay,ThrottlingRequestType,TotalDCRequestCount,TotalDCRequestLatency,TotalMBXRequestCount,TotalMBXRequestLatency,RecipientLookupLatency,ExchangePrincipalLatency,HttpPipelineLatency,CheckAccessCoreLatency,AuthModuleLatency,CallContextInitLatency,PreExecutionLatency,CoreExecutionLatency,TotalRequestTime,DetailedExchangePrincipalLatency,ClientStatistics,GenericInfo,AuthenticationErrors,GenericErrors,Puid,StartTime,ProcessId,TimeInGC,StartTotalMemory,EndTotalMemory,StartGCCounts,EndGCCounts,TokenBasedThrottlingPolicy,BudgetKey,CoinsCharged,CoinsChargedMethod,SidBudgetInfo,AppBudgetInfo,TenantBudgetInfo,ResourceAccessed,ResourceHealthBasedThreshold,ThrottledBy,BackoffHint,WorkClassification


2022-04-01T14:00:00.868Z,,,,,,,,,,,,,,,ATLHQMPHSMX1,,Sbsc_CrteConn,,,,,,,,,5762e070-cd04-4a48-b8a0-c7e2e92bf44b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"tid=218;ids=GwBhdGxocW1waHNteDEuZXVzYy5ldXJvcGEuZXUQAAAAu102b6n77UaAEklyXm6szlGKoAfXE9oIEAAAAHI7snqKwO9EmfSm6ShSBiA=,GwBhdGxocW1waHNteDEuZXVzYy5ldXJvcGEuZXUQAAAANp1bvAzPgk6hAQNcN48NUK5rnAfXE9oIEAAAAHI7snqKwO9EmfSm6ShSBiA=,GwBhdGxocW1waHNteDEuZXVzYy5ldXJvcGEuZXUQAAAAL/oQ6e4mOUyVLywPBYs3LmNglwfXE9oIEAAAAHI7snqKwO9EmfSm6ShSBiA=,;dts=cnt:3,LifeTime:900,",,,,,,,,,,,,,,,,,,,,,,

below the configuration in the same local props.conf in the universal forwarder. This conversion does work correctly.

[source:://E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews]
TZ = UTC

 

In which app should I configure those new attributes?

I would use the options below, what do you think?

MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = "%Y-%m-%d %H:%M:%S"

 

Cheers

 

0 Karma
Reply

corti77
Communicator
‎04-05-2022 01:30 AM

Thanks for the answer.

You were right, I changed the stanza to source:: , force the deployment of the new props.conf, restart the splunk forwarders services and it worked!! 🙂

[source:://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

[source:://E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews]
TZ = UTC

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2022 12:41 PM

Changing props.conf only affects newly-ingested events.  Data already indexed is unchanged.  Also, the TZ setting has no effect if the timestamp in the event contains a time zone indication.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...