How to understand the difference between times displayed in windows logs system time and event.time meta in RSA Security Analytics and NetWitness Platform
SA Product Set: RSA Security Analytics, NetWitness Logs & Network RSA Product/Service Type: Log Collector, Windows Legacy Collector RSA Version/Condition: 10.6.x, 11.x Platform: CentO OS Version: EL6, EL7
How to understand the difference between times displayed in windows logs, system time, and event.time meta in RSA Security Analytics or NetWitness Logs & Network.
When viewing a raw Windows log in RSA Security Analytics or NetWitness Logs & Network, the time displayed may be different from that when viewing the event in the Windows Event Viewer.
Windows Event Logs are stored internally in UTC time on the system. When displayed in eventviewer the time displayed for the event is calculated from the Timezone set for the windows system, and the UTC time of the system. Therefore if UTC Time is 13:47:13 and the timezone set on the windows computer is UTC+3, then the time displayed in the Windows Event viewer will by 13:47:13 + 3 hours = 16:47:13
However internally the log will be written in UTC time.
You can verify this by going into the Windows event log viewer and clicking on the log entry in XML view.
The time created will end with Z which indicates it is in Zulu Time or UTC/GMT <TimeCreated SystemTime="2014-07-02T13:47:13.000000000Z" />
Windows Logs are collected by either Winrm or using a Windows Legacy Log Collector. This method collects the log on the polling interval and the Event Time displayed will be when the was processed by the corresponding Log Collector. This will be the UTC time of the Log Collector. This means that there could be a delay between the event time and the windows event of up to the polling interval chosen for these methods. In extreme circumstances, if no log events could be collected for some time from a Windows machine, then these would be queued on the windows machine until they could eventually be retrieved. This could lead to a longer mismatch between times. Note that the actual event.time meta for the log entry is correctly parsed and stored and can be seen when looking at the detailed view for the log.
The time displayed in Investigation GUI is based upon the event.time in the log and the setting under Profile ->Preferences ->General ->Browser Time Zone. Note: Click on the current user name on the top right corner to find the Profile menu in NetWitness 11.x.
If the timezone is set to UTC+3, then the sample log above will be shown with Event Time 16:47:13
Under Administration ->Devices -> Choose Any Device -> View System the Current Time displayed is the UTC time of that device.
The following pictures clarify these points.
Be aware that you can change the windows logs to contain the current local time. This can be done by setting the time on the Windows Machine to the current UTC time and setting the timezone on the windows machine to also be the UTC timezone. This would have the effect that the local windows machine time would display the time in UTC and not the local time though which may not be desirable.