IBM Support

QRadar: Time zones and managed hosts

Question & Answer


Question

When comparing the Log Activity versus the Reports, why are there inconsistencies in the time stamps of the results?

Cause

If a managed host is located in a different time zone then the timestamps from events and flows may be different from the time zone of the Console.

Answer

QRadar can produce seemingly inconsistent and incorrect results when comparing the Log Activity versus the Reports if the Console and managed hosts are in different time zones. Furthermore, even if they are all in the same time zone, results can be misleading if the time zone that the report is generated is different that the time zone that the Console and managed hosts are in.

Under certain circumstances, this can result in reports returning what appears to be 48 hours of data for a daily report. It is strongly recommended for the Console and all managed hosts to be in the same time zone, or set the Console and all managed hosts to GMT to obtain results that are easily interpreted.

Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 June 2018

UID

swg21995059