000029333 - How to understand the difference between times displayed in Check Point Smart Tracker and event.time meta in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 6, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029333
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.4 and above
Platform: CentOS
Platform (Other): Check Point Smart Tracker
IssueWhen viewing a raw Check Point log in RSA Security Analytics, the time displayed may be different from that when viewing the event in the Check Point Smart Tracker.

Check Point logs (but in general most of security devices logs) are stored internally in UTC time on the system. When displayed in the Smart Tracker the time displayed for the event is calculated from the Timezone set for the Check Point system. 

Here an example:
  1. You can see here some log entries on the Check Point Smart Tracker. The time is in EST (UTC -5)    

User-added image

 

  1. The same log entry highlighted  above can be seen in the Security Analytics Investigator.   The entry is in UTC (EST +5) as you can see from the screenshot below:

User-added image


  1. The time in the Check Point itself is set in EST timezone, however the logs are generated in UTC:

User-added image
ResolutionThe Check Point firewall (and most of security devices) generates logs in UTC.

Attachments

    Outcomes