Description
Summary of Topic
AccelOps supports 3 different time attributes in parsed events.
- Device Time: Time at which device event is generated
- Event Receive Time: Time at which event received by AccelOps. Time set based on Collector's Time Zone
- Event Occur Time: For some devices, there is a time field within the device event [eg. Symantec]
These are set based on the following:
- Application or device generates a log and populates some time field, this is the Event Occur Time
- NOTE: Some devices/logs do not have such a time so the fields may not be populated in all cases
- Syslog/Device Logging facility puts a time value in the raw event somewhere, This is the Device Time
- Example: Syslog inserts a timestamp in the syslog header
- AccelOps Collector or Super receives an event, This information is inserted as Event Receive Time
Additional information
Time attributes are stored in Unix Epoch Time. Epoch Time is the number of seconds that have elapsed since midnight Coordinated Universal Time (UTC). The Coordinated Universal Time is the number a seconds which have elapsed since January, 1st of 1970 at 00:00.
Ex. 16:25:15 CET and 15:25:15 UTC will be translated and stored as 1358263515.
- NOTE: CET's time zone offset is UTC +1
Caveats
Currently timezone is not read from time field in device event so it is assumed to be in the timezone of the collector or super, whichever received the event.
- NOTE: This will be fixed in a future AO release.
When an event is viewed in a web browser via the AO UI, the various Time Attributes are adjusted to the current timezone of the computer you are running the web browser on. So if the event time attributes are in UTC but your laptop is in PST then all the time attributes are converted from UTC to PST in the UI.
if you export events from the AO UI the time attributes are converted to the timezone of the Super.
- NOTE: This will be fixed in a future AO release.
Version Application
All
