000033189 - RSA Security Analytics - Time difference between event time and log time for checkpoint logs

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033189
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: RSA Security Analytics Server
RSA Version/Condition: 10.X
Platform: CentOS
IssueLogs collected from Checkpoint may show a significant time delay. This is only for some logs, with most logs arriving in a timely fashion. 
For example, the log entry below had a header timestamp of May 18 2016 14:37:46 but was not processed on the corresponding log decoder until 21:38:34 of the same day, giving a time difference of approximately 7 hours.
 
May 18 2016 14:37:46: %CHKPNT-6-060020: accept,192.168.x.x,inbound,eth0,192.168.x.x,59515,192.168.x.x,22,ssh,tcp,10,716869,6:01:22
, , , , , , , , , , , , , , ,670625,46244, , , , , ,18May2016 14:37:46,1,VPN-1 & FireWall-1
, , , , , , , ,ssh, , ,18May2016 14:37:46,18May2016 20:37:52,1318,606,712,712,606,46244,670625,
eth0,eth0,eth1,eth1,2,0,0, , , , , ,060020, , , , , , , , , , , , , , , ,{FDF89252-FD12-41EE-8BF5-29B83235182E}
, , , , ,

 
User-added image
CauseThe delayed logs are all Check Point account logs. These track when a session starts and ends. The session is only logged by Check Point when the session is closed. In the Check Point smartcenter GUI this is shown by having the account option in the track column as shown below.
User-added image
ResolutionWe create the header log message from the information in the message, so the time in the header of the message is not necessarily the time that the Check Point message was written to the log collector. In the example:
May 18 2016 14:37:46: %CHKPNT-6-060020: accept,192.168.x.x,inbound,eth0,192.168.x.x,59515,192.168.x.x,22,ssh,tcp,
10,716869,6:01:22, , , , , , , , , , , , , , ,670625,46244, , , , , ,18May2016 14:37:46,1,VPN-1 & FireWall-1
, , , , , , , ,ssh, , ,18May2016 14:37:46,18May2016 20:37:52,1318,606,712,712,606,46244,670625,eth0,eth0,eth1,eth1,2,0,0
, , , , , ,060020, , , , , , , , , , , , , , , ,{FDF89252-FD12-41EE-8BF5-29B83235182E}, , , , ,

The header time is generated from the 18May2016 14:37:46 part of the log message. It does not mean that the log message was received at May 18 2016 14:37:46.

NotesThis article only explains why specific log messages may show as delayed. If all Check Point log messages are delayed, then this needs to be troubleshooted. 

Attachments

    Outcomes