Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000026824 - Understanding event time in WinRM logs in RSA Security Analytics / NetWitness Platform

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Sep 23, 2019

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000026824
Applies To	RSA Product Set: Security Analytics, NetWitness Logs & Network RSA Product/Service Type: Log Collector (WinRM Collection) RSA Version/Condition: 10.x, 11.x Platform: CentOS O/S Version: EL6, EL7
Issue	Understanding event time in Windows logs collected via WinRM collection method in RSA Security Analytics / NetWitness Logs & Network.
Resolution	WinRM can send data in GMT/UTC time. If the event time stamp being sent by WinRM has a "Z", as in <TimeCreated SystemTime="2012-08-10T14:56:38.000000000Z"/> (It can be also looked into from the Event Viewer -> Application/System/Security -> double-click any event-> opens a new dialog box-> go to the Details tab-> select radio button XML View and then look for the Time Created), then the events in the system are stored in the UTC time and that is what would be sent across. More on this "Z" and time zone codes can be found at Coordinated Universal Time and an excerpt on the "Z": The UTC time zone is sometimes denoted by the letter Z - a reference to the equivalent nautical time zone (GMT), which has been denoted by a Z since about 1950. The letter also refers to the "zone description" of zero hours, which has been used since 1920 (see time zone history). Since the NATO phonetic alphabet word for Z is "Zulu", UTC is sometimes known as Zulu time. This is especially true in aviation, where Zulu is the universal standard.[23] This ensures all pilots regardless of location are using the same 24-hour clock, thus avoiding confusion when flying between time zones. WinRM does not manipulate any time either. To simplify, WinRM is an agent which reads the events stored and sends it across (without manipulation) to the Log Collector / Remote Log Collector: How the Time is determined ? The time depends on the way an event is stored by the system or the Event Source not WinRM. Example An example of an event in xml format as stored in the system/Event Source as below, <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/> <EventID>800</EventID> <Version>0</Version> <Level>4</Level> <Task>43</Task> <Opcode>1</Opcode> <Keywords>0x4004000000000000</Keywords> <TimeCreated SystemTime='2014-01-28T14:53:41.154411700Z'/> <EventRecordID>34724172</EventRecordID> <Correlation/> <Execution ProcessID='6432' ThreadID='4992'/> <Channel>Microsoft-Windows-PrintService/Operational</Channel> <Computer>server1.abc.def.ghk</Computer> <Security UserID='S-1-5-21-1605315502-1971273683-2142917321-8548458'/> </System> <UserData> <JobDiag xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'> <JobId>19</JobId> </JobDiag> </UserData> <RenderingInfo Culture='en-US'> <Message>Spooling job 19.</Message> <Level>Information</Level> <Task>Print job diagnostics</Task> <Opcode>Start</Opcode> <Channel>Operational</Channel> <Provider>Microsoft-Windows-PrintService</Provider> <Keywords> <Keyword>WDI Diag</Keyword> </Keywords> </RenderingInfo> </Event> WinRM would pick it up and send across without changing anything. If you look closely (the line in yellow), the time has a letter "Z" at the end, meaning GMT/UTC time. And that is what is sent across. Whereas in Agentless collection, the Time Generated is of interest and is an offset of no of ticks since 00:00:00 1st January 1970. This offset is converted into readable time. This readable time is the local time of the collector.
Legacy Article ID	a64915

Attachments

Outcomes

0 Comments

Recommended Content