|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: RSA Security Analytics Server
RSA Version/Condition: 10.X
|Issue||Logs collected from Checkpoint may show a significant time delay. This is only for some logs, with most logs arriving in a timely fashion. |
For example, the log entry below had a header timestamp of May 18 2016 14:37:46 but was not processed on the corresponding log decoder until 21:38:34 of the same day, giving a time difference of approximately 7 hours.
May 18 2016 14:37:46: %CHKPNT-6-060020: accept,192.168.x.x,inbound,eth0,192.168.x.x,59515,192.168.x.x,22,ssh,tcp,10,716869,6:01:22
|Cause||The delayed logs are all Check Point account logs. These track when a session starts and ends. The session is only logged by Check Point when the session is closed. In the Check Point smartcenter GUI this is shown by having the account option in the track column as shown below.|
|Resolution||We create the header log message from the information in the message, so the time in the header of the message is not necessarily the time that the Check Point message was written to the log collector. In the example:|
May 18 2016 14:37:46: %CHKPNT-6-060020: accept,192.168.x.x,inbound,eth0,192.168.x.x,59515,192.168.x.x,22,ssh,tcp,
The header time is generated from the 18May2016 14:37:46 part of the log message. It does not mean that the log message was received at May 18 2016 14:37:46.
|Notes||This article only explains why specific log messages may show as delayed. If all Check Point log messages are delayed, then this needs to be troubleshooted.|