|Applies To||RSA Product Set: Security Analytics|
RSA Version/Condition: 10.0.x, 10.1.x, 10.2.x, 10.3.x, 10.4.x
|Issue||By default, the NTP daemon (ntpd) as shipped on the Security Analytics appliances is configured to synchronize to public NTP servers that are frequently unreachable from customer networks. For Security Analytics releases prior to 10.4, synchronized time is highly desirable to produce packet and log captures with correct time and to improve query performance across multiple sites.|
As of Security Analytics 10.4, NTP, PTP, or another form of time synchronization of all appliances is mandatory for correct operation of Security Analytics.
|Resolution||To configure basic operation of NTP, first establish a secure shell (ssh) session to the appliance that is not configured for NTP synchronization. Shut down the NTP daemon if it is running.|
service ntpd stop
Open the NTP configuration file with an editor, such as vi.
Normally, it is not necessary to modify any parameters in ntp.conf, other than the lines beginning with the server directive. If you believe advanced configuration is required, please consult the administrator of your NTP servers, the manufacturer of your NTP appliances (if applicable), or public resources providing additional documentation of the operation and configuration of NTP services, such as the Linux Systems Administrators Guide.
Comment out any NTP servers you do not intend to synchronize against by placing a leading hash mark. By default, ntp.conf defines several public time servers at the ntp.org pool. You may wish to comment these out unless you intend to use them.
# server 0.centos.pool.ntp.org iburst
Insert one server directive for each NTP time source you intend to use. You can provide either a hostname or IP address. NTP servers are specified one per line. It may be desirable to use the burst parameter to enable faster initial synchronization at the cost of less-accurate time earlier in the synchronization process.
Do not use the burst option when synchronizing against public NTP servers.
Publicly accessible NTP servers are regarded as a public service, and they are operated by volunteers. NTP administrators may consider this abuse, and ban your IP address or netblock. Consult with your NTP administrator before using this option. It places extra load on NTP servers.
When you are finished, restart ntpd.
service ntpd start
You can monitor the status of your time synchronization with the ntpq (NTP query) utility and the -p (peers) option.
In the above example, the asterisk next to the peer name indicates that ntpd has selected this as the preferred NTP peer, and is actively synchronizing with it. Fallback peers are designated with a plus (+). Peers marked "bad" for any reason will be prefixed with an "x". For other indicators, consult the ntpq manpage.
If using the burst option, initial NTP synchronization should finish within 15-30 seconds. If not using this option, synchronization may take up to 10-15 minutes. This initial start-up time is a one-time cost of establishing synchronization. Once synchronized, your NTP peer should remain synchronized unless ntpd is deliberately stopped or the NTP peers become inaccessible for some reason.
To ensure that ntpd is always started on boot, it may be necessary to add it to several of the default UNIX runlevels via the chkconfig command. It is safe to run this command whether or not ntpd is already added to these runlevels.
chkconfig --levels 2345 ntpd on
If you are unable to synchronize time via NTP for any reason, please check network connectivity between the Security Analytics appliances and the NTP peers you are attempting to use as time sources. You may also wish to consult /var/log/messages for any warnings or errors related to ntpd.
grep -E 'ntpd\[[0-9]*\]' /var/log/messages
If you continue to experience synchronization failures, please consult your NTP administrator or the manufacturer of your NTP appliances (if applicable).
|Notes||Do not use the burst option when synchronizing against public NTP servers.|