Getting Data In

Why did Timezone adjustment (TZ) failed for a single app?- IIS logs (UTC)

corti77
Contributor

Hi,

Trying to correlate failed logon attempts (event 4776) with the IIS OWA logs, I realized that the OWA logs are in UTC by default and I am in CEST time (Madrid).

According to the official documentation 

 

To configure time zone settings, edit the props.conf file in $FORWARDER_HOME/etc/system/local/ or in your own custom application directory in $FORWARDER_HOME/etc/apps/.

 

https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Applytimezoneoffsetstotimestamps

I deployed several apps in the exchange server but onle one app is reporting wrongly , called TA-Windows-Exchange-IIS. So I only need to change the timezone in that specific app if I understood correctly.

And this is what I did, creating the file props.conf in the local path of the app.

C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Windows-Exchange-IIS\local

 

[monitor://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

[monitor://E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews]
TZ = UTC

 

 

 I restarted the splunkforwarder service just in case. The result is that the time is still wrongly taken from those exchange events, in UTC.

Any idea on what I am doing wrong?

thanks a lot.

Labels (3)
Tags (1)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

You need to set that parameter in props.conf and not in the inputs.conf. 

[monitor://....] -> that seems like inputs.conf stanza.

 

You can use props.conf something like this:

[source::C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

[source::E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews...]
TZ = UTC

 

Please consider accepting the answer if it resolves your issue.

corti77
Contributor

Sorry but I just realized that it worked only in one of the logs (EWS) where the datetime is encoded in a single string, something like the one below

 

2022-04-01T14:00:00.868Z 

 

in the second log (IIS logs), the dateime is encoded in two separated fields and the TZ does not work 😞

 

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2022-04-05 00:00:13
#Fields: date time s-ip cs-method cs-uri-stem .........
2022-04-04 23:59:43 192.168.5.119 POST /EWS/Exchange.asmx ......

 

 

any idea on how to solve this issue?

 

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

You need to add a few more parameters for timestamp extraction.

I don't which logs are from which source but make sure you have the following attribute added for all the source/sourcetypes for timestamp extraction.

TIME_PREFIX = <regular expression for text that comes before your timestamp in event>
MAX_TIMESTAMP_LOOKAHEAD = <generally specify how many character long>
TIME_FORMAT = <strptime-style format>

(This configuration does not work on Universal forwarder, so need to put on Indexers or HF, whichever is first in the data pipeline. If you are confused put common configuration everywhere.)

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

 

Please show me your sample single event from each source and what configuration you have added in props.conf.

 

0 Karma

corti77
Contributor

Thanks a lot for the reply.

below an example of a log of our IIS 10.0, sourcetype MSWindows:2012:IIS

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2022-04-05 00:00:13
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken OriginalClientIP

2022-04-04 23:59:43 192.168.5.119 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=311a30a0-e1bc-4824-9bf8-78a84e51e66f; 443 - 192.168.1.10 OC/16.0.5266.1000+(Skype+for+Business) - 401 1 2148074254 6 192.168.120.019

below the configuration in the local props.conf in the universal forwarder. This conversion does not work.

[source:://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

 

the EWS event , sourcetype MSWindows:2013EWS:IIS

#Software: Microsoft Exchange Server
#Version: 15.01.2375.024
#Log-type: EWS Logs
#Date: 2022-04-01T14:00:00.868Z
#Fields: DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,Ring,ClientRequestId,AuthenticationType,IsAuthenticated,AuthenticatedUser,Organization,UserAgent,VersionInfo,ClientIpAddress,ServerHostName,FrontEndServer,SoapAction,HttpStatus,RequestSize,ResponseSize,ErrorCode,ImpersonatedUser,ProxyAsUser,ActAsUser,Cookie,CorrelationGuid,PrimaryOrProxyServer,TaskType,RemoteBackendCount,LocalMailboxCount,RemoteMailboxCount,LocalIdCount,RemoteIdCount,BeginBudgetConnections,EndBudgetConnections,BeginBudgetHangingConnections,EndBudgetHangingConnections,BeginBudgetAD,EndBudgetAD,BeginBudgetCAS,EndBudgetCAS,BeginBudgetRPC,EndBudgetRPC,BeginBudgetFindCount,EndBudgetFindCount,BeginBudgetSubscriptions,EndBudgetSubscriptions,MDBResource,MDBHealth,MDBHistoricalLoad,ThrottlingPolicy,ThrottlingDelay,ThrottlingRequestType,TotalDCRequestCount,TotalDCRequestLatency,TotalMBXRequestCount,TotalMBXRequestLatency,RecipientLookupLatency,ExchangePrincipalLatency,HttpPipelineLatency,CheckAccessCoreLatency,AuthModuleLatency,CallContextInitLatency,PreExecutionLatency,CoreExecutionLatency,TotalRequestTime,DetailedExchangePrincipalLatency,ClientStatistics,GenericInfo,AuthenticationErrors,GenericErrors,Puid,StartTime,ProcessId,TimeInGC,StartTotalMemory,EndTotalMemory,StartGCCounts,EndGCCounts,TokenBasedThrottlingPolicy,BudgetKey,CoinsCharged,CoinsChargedMethod,SidBudgetInfo,AppBudgetInfo,TenantBudgetInfo,ResourceAccessed,ResourceHealthBasedThreshold,ThrottledBy,BackoffHint,WorkClassification


2022-04-01T14:00:00.868Z,,,,,,,,,,,,,,,ATLHQMPHSMX1,,Sbsc_CrteConn,,,,,,,,,5762e070-cd04-4a48-b8a0-c7e2e92bf44b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"tid=218;ids=GwBhdGxocW1waHNteDEuZXVzYy5ldXJvcGEuZXUQAAAAu102b6n77UaAEklyXm6szlGKoAfXE9oIEAAAAHI7snqKwO9EmfSm6ShSBiA=,GwBhdGxocW1waHNteDEuZXVzYy5ldXJvcGEuZXUQAAAANp1bvAzPgk6hAQNcN48NUK5rnAfXE9oIEAAAAHI7snqKwO9EmfSm6ShSBiA=,GwBhdGxocW1waHNteDEuZXVzYy5ldXJvcGEuZXUQAAAAL/oQ6e4mOUyVLywPBYs3LmNglwfXE9oIEAAAAHI7snqKwO9EmfSm6ShSBiA=,;dts=cnt:3,LifeTime:900,",,,,,,,,,,,,,,,,,,,,,,

below the configuration in the same local props.conf in the universal forwarder. This conversion does work correctly.

[source:://E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews]
TZ = UTC

 

In which app should I configure those new attributes?

I would use the options below, what do you think?

MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = "%Y-%m-%d %H:%M:%S"

 

Cheers

 

0 Karma

corti77
Contributor

Thanks for the answer.

You were right, I changed the stanza to source:: , force the deployment of the new props.conf, restart the splunk forwarders services and it worked!! 🙂

[source:://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
TZ = UTC

[source:://E:\Program Files\Microsoft\Exchange Server\V15\Logging\Ews]
TZ = UTC

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Changing props.conf only affects newly-ingested events.  Data already indexed is unchanged.  Also, the TZ setting has no effect if the timestamp in the event contains a time zone indication.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...