000037617 - Malware Analysis Time difference issue depending on OS timezone configuration in RSA Netwitness 11.x

Document created by RSA Customer Support Employee on Jul 11, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037617
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Platform: Cent OS
O/S Version: 7
Product Name: RSA NetWitness
 
IssueIf Netwitness Server and Malware Analysis OS timezone are not configured as UTC, it displays differences between "Date Archived" and "Session Time" of Malware GUI.
In case of KST(Korea Standard Time) OS timezone, it shows 30 minutes time differences in Malware GUI as shown below.

User-added image
CauseThis is because the RSA Netwitness Server and Malware Analysis OS timezones are not configured to use UTC as shown in the example below(KST).
User-added image
ResolutionYou can fix this issue if you change the RSA Netwitness Server and Malware Analysis OS timezones from {Your_Timezone} to UTC.
WorkaroundIf the customer does not allow to change current OS timezone, follow these steps to fix the issue.
  1. Connect to the Malware Analysis appliance via SSH.
  2. Add the following phrase ("-Duser.timezone=UTC") starting "ExecStart" variable in /etc/systemd/system/multi-user.target.wants/rsa-nw-malware-analytics-server.service as shown below.
    User-added image
  3. Restart the Malware Analysis service.


# systemctl daemon-reload
# systemctl restart rsa-nw-malware-analytics-server.service


After the above steps, the time difference issue will be resolved.
User-added image

Attachments

    Outcomes