000026342 - How to configure NTP on an RSA Netwitness appliance

The RSA NetWitness architecture relies heavily on a consistent time source to keep the data synchronized between multiple devices.  It is highly recommended that NTP be setup on every RSA NetWitness appliance to ensure optimal performance.  Not doing so may result in sluggish query performance, concentrators falling behind in consumption, and/or devices being aggregated always remaining in a waiting state instead of consuming.

NTP can be configured by following the steps below, which will configure the time synchronization parameters.

1. Connect to the device via RSA NetWitness Administrator using the 50006 appliance service port.
2. Double-click on the device adn select the Appliance Tasks button.
3. Select Set Network Time Source.
4. Enter your NTP server name and click the Run button, using the following syntax:  source=<ntp_source>

You can verify the NTP server information by examining the /etc/ntp.conf file via SSH.  The entry will appear similar to the following:  server 0.pool.ntp.org

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance. 

If your appliances have access to the Internet, 0.pool.ntp.org can be used as the NTP server.

If the NTP configuration does not appear to be persistent after rebooting the appliance, follow the procedure in the knowledgebase article Setting the NTP source on an RSA NetWitness appliance is not persistent after reboot.