000026824 - Understanding event time in WinRM logs in RSA Security Analytics / NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 23, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026824
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Log Collector (WinRM Collection)
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
IssueUnderstanding event time in Windows logs collected via WinRM collection method in RSA Security Analytics / NetWitness Logs & Network.
  • WinRM can send data in GMT/UTC time.

  • If the event time stamp being sent by WinRM has a "Z", as in <TimeCreated SystemTime="2012-08-10T14:56:38.000000000Z"/> (It can be also looked into from the Event Viewer -> Application/System/Security -> double-click any event-> opens a new dialog box-> go to the Details tab-> select radio button XML View and then look for the Time Created), then the events in the system are stored in the UTC time and that is what would be sent across.

The UTC time zone is sometimes denoted by the letter Z - a reference to the equivalent nautical time zone (GMT), which has been denoted by a Z since about 1950. The letter also refers to the "zone description" of zero hours, which has been used since 1920 (see time zone history). Since the NATO phonetic alphabet word for Z is "Zulu", UTC is sometimes known as Zulu time. This is especially true in aviation, where Zulu is the universal standard.[23] This ensures all pilots regardless of location are using the same 24-hour clock, thus avoiding confusion when flying between time zones.

  • WinRM does not manipulate any time either. To simplify, WinRM is an agent which reads the events stored and sends it across (without manipulation) to the Log Collector / Remote Log Collector:

How the Time is determined ?

The time depends on the way an event is stored by the system or the Event Source not WinRM.


An example of an event in xml format as stored in the system/Event Source as below,

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>

                                <Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/>
                                <TimeCreated SystemTime='2014-01-28T14:53:41.154411700Z'/>
                                <Execution ProcessID='6432' ThreadID='4992'/>
                                <Security UserID='S-1-5-21-1605315502-1971273683-2142917321-8548458'/>
                                <JobDiag xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'>
                <RenderingInfo Culture='en-US'>
                <Message>Spooling job 19.</Message>
                <Task>Print job diagnostics</Task>
                                <Keyword>WDI Diag</Keyword>


  • WinRM would pick it up and send across without changing anything. If you look closely (the line in yellow), the time has a letter "Z" at the end, meaning GMT/UTC time. And that is what is sent across.

  • Whereas in Agentless collection, the Time Generated is of interest and is an offset of no of ticks since 00:00:00 1st January 1970. This offset is converted into readable time. This readable time is the local time of the collector.
Legacy Article IDa64915