000029836 - How to configure an RSA Security Analytics appliance to synchronize time via NTP

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029836
Applies ToRSA Product Set: Security Analytics
RSA Version/Condition: 10.0.x, 10.1.x, 10.2.x, 10.3.x, 10.4.x
Platform: CentOS
IssueBy default, the NTP daemon (ntpd) as shipped on the Security Analytics appliances is configured to synchronize to public NTP servers that are frequently unreachable from customer networks. For Security Analytics releases prior to 10.4, synchronized time is highly desirable to produce packet and log captures with correct time and to improve query performance across multiple sites.
As of Security Analytics 10.4, NTP, PTP, or another form of time synchronization of all appliances is mandatory for correct operation of Security Analytics.
ResolutionTo configure basic operation of NTP, first establish a secure shell (ssh) session to the appliance that is not configured for NTP synchronization. Shut down the NTP daemon if it is running.
service ntpd stop

Open the NTP configuration file with an editor, such as vi.
vi /etc/ntp.conf

Normally, it is not necessary to modify any parameters in ntp.conf, other than the lines beginning with the server directive. If you believe advanced configuration is required, please consult the administrator of your NTP servers, the manufacturer of your NTP appliances (if applicable), or public resources providing additional documentation of the operation and configuration of NTP services, such as the Linux Systems Administrators Guide.
Comment out any NTP servers you do not intend to synchronize against by placing a leading hash mark. By default, ntp.conf defines several public time servers at the ntp.org pool. You may wish to comment these out unless you intend to use them.
# server 0.centos.pool.ntp.org iburst
# server 1.centos.pool.ntp.org iburst
# server 2.centos.pool.ntp.org iburst
# server 3.centos.pool.ntp.org iburst

Insert one server directive for each NTP time source you intend to use. You can provide either a hostname or IP address. NTP servers are specified one per line. It may be desirable to use the burst parameter to enable faster initial synchronization at the cost of less-accurate time earlier in the synchronization process.
server ntp0.example.com
server ntp1.example.com

Do not use the burst option when synchronizing against public NTP servers.
Publicly accessible NTP servers are regarded as a public service, and they are operated by volunteers. NTP administrators may consider this abuse, and ban your IP address or netblock. Consult with your NTP administrator before using this option. It places extra load on NTP servers.
When you are finished, restart ntpd.
service ntpd start

You can monitor the status of your time synchronization with the ntpq (NTP query) utility and the -p (peers) option.
ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
*ntp0.example.co .ACTS.           1 u   56 1024  377   44.826    0.137   1.396

In the above example, the asterisk next to the peer name indicates that ntpd has selected this as the preferred NTP peer, and is actively synchronizing with it. Fallback peers are designated with a plus (+). Peers marked "bad" for any reason will be prefixed with an "x". For other indicators, consult the ntpq manpage.
man ntpq

If using the burst option, initial NTP synchronization should finish within 15-30 seconds. If not using this option, synchronization may take up to 10-15 minutes. This initial start-up time is a one-time cost of establishing synchronization. Once synchronized, your NTP peer should remain synchronized unless ntpd is deliberately stopped or the NTP peers become inaccessible for some reason.
To ensure that ntpd is always started on boot, it may be necessary to add it to several of the default UNIX runlevels via the chkconfig command. It is safe to run this command whether or not ntpd is already added to these runlevels.
chkconfig --levels 2345 ntpd on

If you are unable to synchronize time via NTP for any reason, please check network connectivity between the Security Analytics appliances and the NTP peers you are attempting to use as time sources. You may also wish to consult /var/log/messages for any warnings or errors related to ntpd.
grep -E 'ntpd\[[0-9]*\]' /var/log/messages

If you continue to experience synchronization failures, please consult your NTP administrator or the manufacturer of your NTP appliances (if applicable).
NotesDo not use the burst option when synchronizing against public NTP servers.