Getting Data In

Windows Eventlogs from windows splunk universal forwarder lacking timezone

Alex00001
Loves-to-Learn

Timezone on my splunk indexer is GMT and windows machine is PST. 

I found that the metadata from Windows Eventlogs lose timezone info so that time in raw events is 8 hour earlier than `_time` which is real time in GMT.  

Alex00001_0-1679378463913.png

The influence is that all of  these log will 8 hours earlier than the real time after a `collect` action. Such as the following image which just collect the datas into a new index.

Alex00001_1-1679379615123.png

 

I want Windows Eventlogs can be added a timezone info or we can modify time info in windows splunk universal forwarder.

I have tried change props.conf  in forwarder and indexer but it change the timestamp but not raw events.

What's more, I will not change  system timezone on machine because unknown problems maybe imported into systems.

Can I change the time info in Windows Eventlogs without change windows system timezone?

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

First and foremost - I'd change the ingestion format of windows logs from the traditional "plaintext" to XML. I've never encountered time-related problems with XML-reported windows logs (apart from the cases when the timezone itself was indeed wrongly set on the source machine).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Alex00001 ,

see props.conf at https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Propsconf

you can find:

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
  * If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
  * If TZ is set to a valid timezone string, use that.
  * If the event was forwarded, and the forwarder-indexer connection uses
  the version 6.0 and higher forwarding protocol, use the timezone provided
  by the forwarder.
  * Otherwise, use the timezone of the system that is running splunkd.
* Default: empty string

in this way you can configure the correct Timezone for your logs.

Ciao.

Giuseppe

0 Karma

Alex00001
Loves-to-Learn

Thank you for your answer.

I had tried TZ attr, and as i know, it only change the timestamp but not change the time info in windows raw event. 

What I want is following image,  I don't know if I made my problem clear.

Alex00001_0-1679389917752.png

Alex00001_1-1679389976167.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Alex00001 ,

Splunk by default doesn't modify raw logs, 

using TZ you give to your events the correct Timestamp to correlate them to other data sources.

If you quant, you can modify events before indexing, but my hiont is to assign the correct timestamp and leave the priginal tima on events.

Ciao.

Giuseppe

0 Karma

Alex00001
Loves-to-Learn

Thank you for you advise, I wonder how can I modify events before indexing in wineventlog.
And what make me confused is why splunk forwarder doesn't add timezone info in winevent logs.

 

Although TZ can make `_time` equals to raw time in logs, that is not the real time log reported in my timezone and will add persistent work to remind others that we have some logs not in our timezone and blabla...
I need to manage the log uniformly instead of divide it into different indexes by timezone.

 

Thank you.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Alex00001 ,

you don't need to put logs in different indexes for timezone, instead it isn't a good practice: indexes are usually choosen for retention and access grants.

Setting Timezone in props.conf you set the correct timestamp preserving the original event log but you can correlate events from different settings because timestamps are correct.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...