IBM Support

QRadar: handling of different time zones, device event times, and times when using Log File Protocol

Question & Answer


How does IBM Security QRadar SIEM deal with different time zones, device event times, and times when using Log File Protocol?


When running a system that spans multiple time zones, most users set all their systems to either the same time zone as the console, or, run all the systems in GMT. This allows for the times across multiple systems to be the same.


How to update the time of a QRadar appliance:
To obtain the most up-to-date information on configuring the system time of a QRadar appliance, please use this link:
QRadar system time configuration

Log File Protocol - What is the impact on time when batch processing files?
Event logs are processed based on time received; the log source time in the payload is independent of the correlation time. In QRadar, Event Time is the time that the event was received into the event pipeline, thus ignoring any timestamp in the messages themselves when it comes to correlation. For example, if you were to pull events from a file server source (scp/sftp/ftp) once per hour, with approximately 50,000 events in each file. Then you replay them at 1000 events per second, the event times would always be the first 50 seconds of each hour, as the files are replayed from the log file protocol driver, into the event collector. For this reason, use a smaller time setting when pulling log files, but keep in mind that the log file protocols only grab new files as they become available.

This impacts correlation, such that these events only "occur" when they are processed. If you were to set up any rules that were correlating data coming in by way of a log file protocol, you would need to adjust the time windows of your rules accordingly. The primary goal of getting data in by using Log File Protocol is thus for reporting, where in a Daily (or longer) report cycle, the exact time of an event is less critical than it is for use with rules.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018