How to Handle Time Zone with Log Analysis

Overview

The MSActivator provides syslog collection, analysis and indexing with its Log Analysis module. The syslogs collecting and analysing module of the MSActivator parses the syslogs to extract the fields that will be stored and indexed in Elasticsearch. Because not every device sends its time zone configuration in their syslogs, the MSA doesn't extract time zone information, and therefore the extracts the syslog date without any time zone related information. By default, the MSActivator assigns the GMT time zone to the syslogs. A potential issue is that if the sending device is not in GMT, its syslogs will be incorrectly indexed and the Log Analysis module will show inaccurate results.

The picture below illustrates this case with a Cisco ASA security syslog (field "rawlog") without any time zone information. Note the field "date" shows "+0000" as the default time zone.

Image

Configure a Global Default time zone

When all devices managed by the MSActivator are in the same time zone, it is possible to set a global default time zone for the syslogs. This configuration is done using the MSActivator CLI base Configuration Tool:

UBIqube SOC Configuration Menu → SEC Engine configuration → SEC Engine syslog configuration → Default time zone offset for received syslogs

Change the default value +0000 to another value (user selected), i.e. +0900, and reconfigure the SecEgine

Execute the CLI /opt/sms/configure to reconfigure the SecEngine. This will also restart the daemons that are impacted by the configuration changes.

To change the time zone in the configurator, make sure you append a '\' to the time zone value. Example: '\+0900'

Once configured with the new default time zone, the syslogs will be indexed with +0900 (or other user selected time). This change can be seen in the field "date" below:

Image

Configure a time zone for a Specific Device

If your managed devices are configured with various time zones, then you need to configure the time zone specifically for each devices.

This can be done by implementing a Microservice with a parameter $param.timezone that will take the value of the time zone needed to add to the syslogs.

With the configuration below:

Image

The syslogs get localized to the time zone GMT-0020.

Image

Important

The Microservice must be defined in a file system.xml

You can find a simple example on Github at https://github.com/openmsa/Workflows-Microservices/tree/master/MICROSERVICES/CISCO .

This example allows you to configure the time zone to set on the syslogs. It can be extended with a full implementation of IMPORT/CREATE/... to synchronize the time zone between the MSActivator and the device.