000036229 - Malware Analysis Time difference issue depending on OS timezone configuration in RSA NetWitness Logs & Packets 10.6.x

Document created by RSA Customer Support Employee on Apr 11, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036229
Applies ToRSA Product Set: Netwitness Logs and Packets
RSA Product/Service Type: Netwitness Logs and Packets
RSA Version/Condition: 10.6.x
IssueIf Security Analytics Server and Malware Analysis OS timezone are not configured as UTC, it displays differences between "time meta-value" of Investigation and "time meta-value" of Malware GUI.
In case of KST(Korea Standard Time) OS timezone, it shows 30 minutes time meta-value differences between Investigation and Malware GUI as shown below.
<Malware GUI>
User-added image
<Investigation GUI>
User-added image
CauseThis is because Security Analytics Server and Malware Analysis OS timezone is not configured as UTC as shown below.
# date
Mon Apr  9 14:23:39 KST 2018
# ls -ltr /etc/localtime
lrwxrwxrwx. 1 root root 30 Mar 15 09:33 /etc/localtime -> /usr/share/zoneinfo/Asia/Seoul
ResolutionYou can fix this issue if you change Security Analytics Server and Malware Analysis OS timezone as UTC.
WorkaroundIf the customer does not allow to change current OS timezone, follow these steps to fix this issue.
1) SSH connect to Malware Analysis appliance
2) Add following phrase("-Duser.timezone=UTC") starting JAVA_OPTS variable from /etc/init/rsaMalwareDevice.conf as shown below.
User-added image
3) Restart Malware Analysis service
# stop rsaMalwareDevice
# start rsaMalwareDevice

After above steps, the time difference issue will be resolved.