This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ObserveEventTime delay

Hi All

     Customer response the Windows Server log Which use Agent Manager collect log delay.

     I checked the events sent from the host and found that the Windows log sent from the host is sent to the Universal Collector and Windows Collector via the Agent Manager Connector

     For events sent to Universal Collector, the ObserverEventTime is normal; but for events sent to Windows Collector at the same time, ObserverEventTime records the previous time (indicating that these events are events several hours ago). These delayed events are more than 12 hours at most, and at least four hours (when I observed him more than six hours later, the last event was four hours ago)

     I have confirmed the timezone, it is not the delay caused by the timezone

     I don't know why the events sent by the same host, but different Collectors have such problems.

Is it an EPS problem??
Does anyone have relevant experience to offer?

Thanks!!

Wencheng

Tags:

  • Suggested Answer

    0

    Hi Wencheng,

    I've sent below to customers in the past, hope it helps.



    Every event has three time fields:

       * Event Time: This is the event time used by all analytical engines, searches, reports, and so on.

       * Sentinel Process Time: The time Sentinel collected the data from the device, which is taken from the Collector Manager system time.

       * Observer Event Time: The time stamp the device put in the data. The data might not always contain a reliable time stamp and can be quite different than the Sentinel Process Time. For example, when the device delivers data in batches.


       1. By default, the Event Time is set to the Sentinel Process Time. The ideal, however, is for the Event Time to match the Observer Event Time, if it is available and trustworthy. It is best to configure data collection to Trust Event Source Time if the device time is available, accurate, and properly parsed by the Collector. The Collector sets the Event Time to match the Observer Event Time.

       2. The events that have an Event Time within a 5 minute range from the server time (in the past or future) are processed normally by Event Views. Events that have an Event Time more than 5 minutes in the future do not show in the Event Views, but are inserted into the event store. Events that have an Event Time more than 5 minutes in the future and less than 24 hours in the past still are shown in the charts, but are not shown in the event data for that chart. A drill-down operation is necessary to retrieve those events from the event store.

       3. Events are sorted into 30-second intervals so that the Correlation Engine can process them in chronological order. If the Event Time is more than 30 seconds older than the server time, the Correlation Engine does not process the events.

       4. If the Event Time is older than 5 minutes relative to the Collector Manager system time, Sentinel directly routes events to the event store, bypassing real-time systems such as Correlation Engine and Security Intelligence.

    See:
    www.microfocus.com/.../bvtjmyb.html
    www.microfocus.com/.../bvtjo3t.html


    Now we recently published a new MS AD and Windows collector.

    Please find Microsoft Active Directory and Windows 2011.1r9 preview build at Marketplace for download. This Collector populates the certificate information into EI.

    marketplace.microfocus.com/.../microsoft-active-directory-and-windows


    Also make sure you have the latest agent manager connector deployed.

    marketplace.microfocus.com/.../agent-manager

    The latest is Revision: 2021.1r1

    I attached the latest plugin pdf which has test results included as well, including EPS.


    Regards,


    Henk Tjalsma



    PDF

  • 0 in reply to 

    Hi 

        customer install 2 new domain controller (Win2019) and I update Windows Collector (2011.1r9.preview) and agent manager connector (2021.1r1) .....when Agent start send log . the result is the same.

    the log send to universal Collector (like service start/stop event) ,it ObserverEventTime is near Time, But at the same time...log sent to Windows Collector (like user login /logoff event) the ObserverEventTime offset about 4~4.5 hours.

    This Screenshot is log Send to Universal Collector.the EventTime near ObserverEventTime

    at the same time , the log send to Windows Collector, has offset issue.

    I did a testing, I change to default Collector in Agent Manager Connector ,

    from Universal Collector to Windows Collector. let log send to Universal Collector change to Windows collector. I find these log which original send to Universal collector still nearTime even send to Windows Collector. 

    Wencheng

  • 0 in reply to 

    Hi Henk

          about this issue...I had upgrade agent manager 8.5.0.4 and windows collector and agent manager connector to latest version as you provide.

    but the observeeventtime still later than 3-4.5 hours (but interesting...at the same time...windows has other event like servvice stop/start will send to universal event collector...these events's observereventtime is correct)

         Now not only latest version on customer environment...only sentinel appliance , I will upgrade them in this week (plan).

    Wencheng