|Applies To||RSA Product Set: Security Analytics, RSA NetWitness Logs & Network|
RSA Product/Service Type: Log Decoder, Log Collector
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x, 10.6.x
|Issue||Some raw log events consist of time details as "Apr 26 06:55:20". But the details are not reflecting in event.time meta value.|
|Cause||This is due to incomplete time details. Log Decoder expects time with Year, Date and Time to populate event.time meta value.|
Since the log event time in "Apr 26 06:55:20" is missing Year details, the event.time will not be able to parse.
|Resolution||The parser is working as designed. The format of the logs will need to be updated or use time (the time when the log is received on the log collector) instead of event.time. Additional date format functionality has been added in RSA Security Analytics version 10.6.5, please review Decoder and Log Decoder configuration guide pgs. 133-134.|
|Workaround||RSA Security Analytics cannot extract event.time if time details are missing any of the Year, Date and Time values.|
The workaround is to use the Log Collection time meta key for reporting or update the log format of the events.
Below is a sample for updating Linux event source to start logging with the right date format.
The meta key should then be logging the right format.