Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033189 - Time difference between event time and log time for checkpoint logs in RSA Security Analytics

Document created by RSA Customer Support

on Jun 30, 2016•Last modified by RSA Customer Support on May 6, 2019

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000033189
Applies To	RSA Product Set: Security Analytics, RSA NetWitness Logs & Network RSA Product/Service Type: RSA Security Analytics Server RSA Version/Condition: 10.X Platform: CentOS
Issue	Logs collected from Checkpoint may show a significant time delay. This is only for some logs, with most logs arriving in a timely fashion. For example, the log entry below had a header timestamp of May 18 2016 14:37:46 but was not processed on the corresponding log decoder until 21:38:34 of the same day, giving a time difference of approximately 7 hours. May 18 2016 14:37:46: %CHKPNT-6-060020: accept,192.168.x.x,inbound,eth0,192.168.x.x,59515,192.168.x.x,22,ssh,tcp,10,716869,6:01:22 , , , , , , , , , , , , , , ,670625,46244, , , , , ,18May2016 14:37:46,1,VPN-1 & FireWall-1 , , , , , , , ,ssh, , ,18May2016 14:37:46,18May2016 20:37:52,1318,606,712,712,606,46244,670625, eth0,eth0,eth1,eth1,2,0,0, , , , , ,060020, , , , , , , , , , , , , , , ,{FDF89252-FD12-41EE-8BF5-29B83235182E} , , , , ,
Cause	The delayed logs are all Check Point account logs. These track when a session starts and ends. The session is only logged by Check Point when the session is closed. In the Check Point smartcenter GUI this is shown by having the account option in the track column as shown below.
Resolution	We create the header log message from the information in the message, so the time in the header of the message is not necessarily the time that the Check Point message was written to the log collector. In the example: May 18 2016 14:37:46: %CHKPNT-6-060020: accept,192.168.x.x,inbound,eth0,192.168.x.x,59515,192.168.x.x,22,ssh,tcp, 10,716869,6:01:22, , , , , , , , , , , , , , ,670625,46244, , , , , ,18May2016 14:37:46,1,VPN-1 & FireWall-1 , , , , , , , ,ssh, , ,18May2016 14:37:46,18May2016 20:37:52,1318,606,712,712,606,46244,670625,eth0,eth0,eth1,eth1,2,0,0 , , , , , ,060020, , , , , , , , , , , , , , , ,{FDF89252-FD12-41EE-8BF5-29B83235182E}, , , , , The header time is generated from the 18May2016 14:37:46 part of the log message. It does not mean that the log message was received at May 18 2016 14:37:46.
Notes	This article only explains why specific log messages may show as delayed. If all Check Point log messages are delayed, then this needs to be troubleshooted.

Attachments

Outcomes

0 Comments