000026973 - How to understand the difference between times displayed in windows logs  system time  and event.time meta in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026973
Applies ToRSA Security Analytics
RSA Security Analytics Windows Legacy Collector
Microsoft WinRM
IssueHow to understand the difference between times displayed in windows logs, system time, and event.time meta in RSA Security Analytics.
When viewing a raw Windows log in RSA Security Analytics, the time displayed may be different from that when viewing the event in the Windows Event Viewer.


Windows Event Logs are stored internally in UTC time on the system. When displayed in eventviewer the time displayed for the event is calculated from the Timezone set for the windows system, and the UTC time of the system. Therefore if UTC Time is 13:47:13 and the timezone set on the windows computer is UTC+3, then the time displayed in the Windows Event viewer will by 13:47:13 + 3 hours = 16:47:13

However internally the log will be written in UTC time.

You can verify this by going into the windows event log viewer and clicking on the log entry in XML view. 

The time created will end with Z which indicates it is in Zulu Time or UTC/GMT 

<TimeCreated SystemTime="2014-07-02T13:47:13.000000000Z" /> 



Windows Logs are collected by either Winrm or using a Windows Legacy Log Collector. This method collects the log on the polling interval and the Event Time displayed will be when the was processed by the corresponding Log Collector.  This will be the UTC time of the Log Collector. This means that there could be delay between the event time and the windows event of up to the polling interval chosen for these methods.. In extreme circumstances, if no log events could be collected for some time from a windows machine, then these would be queued on the windows machine until they could eventually be retrieved. This could lead to a longer mismatch between times. Note that the actual event.time meta for the log entry is correctly parsed and stored and can be seen when looking at the detailed view for the log.


The time displayed in the Security Analytics Investigate GUI is based upon the event.time in the log and the setting under  Main Menu ->Profile ->Preferences ->General ->Browser Time Zone. ( See the RSA Security Analytics official documentation for additional information.)


If the timezone is set to UTC+3, then the sample log above will be shown with Event Time 16:47:13

Under Administration ->Devices -> Choose Any Device -> View System the Current Time displayed is the UTC time of that device.


The following pictures clarify these points.







Be aware that you can change the windows logs to contain the current localtime. This can be done by setting the time on the Windows Machine to the current UTC time, and setting the timezone on the windows machine to also be the UTC timezone. This would have the affect that the local windows machine time would display the time in UTC and not the local time though which may not be desirable.


Under Envision it was possible to change the time of the event to the Log Collectors time zone.

In envision, we have a windows_normalization.xml file. It dictates how we use the event time, event SIDs and everything else. By default we have this particular line in the xml


?<xpath id="timestamp" transform="ToEnvisionTimestamp">./event:System/event:TimeCreated/@SystemTime</xpath>,?  


This means we are changing time of the event as per the Log Collector time zone.


Our default time in SA on all systems is UTC, which was not the case in envision.

Legacy Article IDa66732