Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
mnguyen1
New Member.
3113 views

Correct Manager receipt time vs. Start Time

Jump to solution

Received an email alert that have a different Manager Receipt date and time vs. Start/End Time.   These two should be consistent.  I was told that the daemon maybe queued or  blocked.   How do I correct this and where do I go to check check? 

Labels (4)
0 Likes
1 Solution

Accepted Solutions
Jurgen
Visitor.

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Hi Mylan,

There are 5 types of time inside the "time group" of the Arcsight Event schema of 17 groups and 400+ collumns

  • Start time - When the event started on the source machine
  • End time - When the event stopped on the source machine. (this is what you should use for your content)
  • Device receipt time - When there is a device in between the original source of the Smartconnector that passes it through
  • Agent receipt time - When the Smartconnector received the event
  • Manager Receipt time - When the Arcsight ESM received the event


The end time will be always earlier than the device receipt time, agent time and manager time because they are later in the chain. You can check the time difference by using a variable that compares the "end time" to the "manager receipt time" and puts the difference in a active channel column (you can see a real time feed of time difference).


If there is real big difference it can have the following causes:

- Your NTP server is not synced on the Source machine, Smartconnector server and the Manager (make sure they all use the same NTP server).

- The logs are being send from the source machine using a different method

     - Database query method (this has periodic settings the agent.properties that states how many times it should query in X amount of time)

     - Source machine uses a cronjob to send ftp logs to the Smartconnector every X amount of minutes

     - Your Smartconnector has performance issues: it's caching it's events on a daily basis.

          * if you want to troubleshoot this: look into your connector dashboards for caching activity on the Smartconnector.

          * another alternative is to read out the agent.log of the SmartConnector, you can also check it with the "we! analyze!" tool


All in all, its not the end of the world if its 10 seconds difference. if its really big difference then you should check it out yet.


Kind regards,

Jurgen

View solution in original post

0 Likes
9 Replies
Jurgen
Visitor.

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Hi Mylan,

There are 5 types of time inside the "time group" of the Arcsight Event schema of 17 groups and 400+ collumns

  • Start time - When the event started on the source machine
  • End time - When the event stopped on the source machine. (this is what you should use for your content)
  • Device receipt time - When there is a device in between the original source of the Smartconnector that passes it through
  • Agent receipt time - When the Smartconnector received the event
  • Manager Receipt time - When the Arcsight ESM received the event


The end time will be always earlier than the device receipt time, agent time and manager time because they are later in the chain. You can check the time difference by using a variable that compares the "end time" to the "manager receipt time" and puts the difference in a active channel column (you can see a real time feed of time difference).


If there is real big difference it can have the following causes:

- Your NTP server is not synced on the Source machine, Smartconnector server and the Manager (make sure they all use the same NTP server).

- The logs are being send from the source machine using a different method

     - Database query method (this has periodic settings the agent.properties that states how many times it should query in X amount of time)

     - Source machine uses a cronjob to send ftp logs to the Smartconnector every X amount of minutes

     - Your Smartconnector has performance issues: it's caching it's events on a daily basis.

          * if you want to troubleshoot this: look into your connector dashboards for caching activity on the Smartconnector.

          * another alternative is to read out the agent.log of the SmartConnector, you can also check it with the "we! analyze!" tool


All in all, its not the end of the world if its 10 seconds difference. if its really big difference then you should check it out yet.


Kind regards,

Jurgen

View solution in original post

0 Likes
mnguyen1
New Member.

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Thanks for the explanation, Jurgen,   The difference is by day or more and not just minutes or seconds. I will look into it based on your suggestion.

0 Likes

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Did you find anything? I'm having the same problem at the moment. Events reach ArcSight after 2-3 days. And correlation is late.

0 Likes
mnguyen1
New Member.

Re: Correct Manager receipt time vs. Start Time

Jump to solution

In my case, the NTP server was out of sync which cause the problem to occur.

0 Likes

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Hi,

In my case it was connector caching events.

0 Likes
ateeshbhat Trusted Contributor.
Trusted Contributor.

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Hello Jurgen,

I our case:

1. We got NTP synced with Connector Server and ESM server.

2. Connector Server and ESM server are tagged to same NTP.

For our environment - Domain members are reporting to DC and DC is in sync with the NTP server.

Still I observe some time difference in seconds between MRT and ET. (ET>MRT)

Please, if you could suggest! (This is very critical)

Cheers!

Ateesh

0 Likes
Acclaimed Contributor.. Volker Michels Acclaimed Contributor..
Acclaimed Contributor..

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Hello,

as described above the ET is the time on the source device not on the SmartConnector thus you need to check there and also check the network as it could also causes delay in transport.

Volker

0 Likes
ateeshbhat Trusted Contributor.
Trusted Contributor.

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Thanks  Volker!

The time on our end devices is in sync with Domain controller which is synced with the NTP.

Will get it checked once again!

Regards,

Ateesh

0 Likes
amane Respected Contributor.
Respected Contributor.

Re: Correct Manager receipt time vs. Start Time

Jump to solution

Hello All,

If NTP servers are in different timezone, will logger be able to convert time in logger's local time zone?

Regards,

Ameer Mane

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.