Highlighted
Anonymous_User Absent Member.
Absent Member.
380 views

Correlation & "Trust Event Source Time" issue


Hi there,
I've noted that since enabling "Trust Event Source Time" for my
eDirectory collector that my very simple correlation rule for Intruder
Detection no longer fires (though it does properly detect when using the
"Test Rule" feature) . The correlation rule does work after disabling
the setting but all servers are using same NTP and we do prefer to have
this enabled so that events are using the Observer Event Time stamp.

My Correlation rule is: filter(((e.EventName = "Intruder Detected")))

Bug?

Cheers,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46397

0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Correlation & "Trust Event Source Time" issue

> Hi there,
> I've noted that since enabling "Trust Event Source Time" for my
> eDirectory collector that my very simple correlation rule for Intruder
> Detection no longer fires (though it does properly detect when using the
> "Test Rule" feature) . The correlation rule does work after disabling
> the setting but all servers are using same NTP and we do prefer to have
> this enabled so that events are using the Observer Event Time stamp.
>
> My Correlation rule is: filter(((e.EventName = "Intruder Detected")))
>
> Bug?


Probably not; I believe the timing allowing events into a correlation
engine is down to two (or thirty... I forget) seconds or so... probably
configurable in the .xml files for the CMs. I want to say this is related
to an 'eventrouter' setting, but don't quote me on that.

Anyway, the 'Test' functionality goes back and queries events already in
the system which may have arrived there on time, or a few minutes late,
but which always have timestamps that are there regardless of how delayed
the events are. The Correlation Engine is more-picky, kind of, and only
gets events which are sent to it from CMs and the CMs only put the events
from the last few seconds into the realtime channel (otherwise they were
not really "realtime" due to whatever delays before Sentinel was ready to
send the events from the event router).

I believe TID# 3674902 covers some of these settings, though it does not
address this exact issue.

Personally I would probably try to identify this by using the debugger in
the collector. If an event comes in and its timestamp is significantly
behind the present then no matter how quickly the collector parses it will
be too late. A connector dump may also be a way to get events written out
in a way that shows both the server's time as well as the original time.

Be sure that the source of events (eDirectory, probably using the Audit
Platform Agent (PA)) is not unnecessarily delaying things for too long or
you may get batches of events, all a minute or two late, just depending on
how the PA is configured. Its reconnect interval (should it lose
connection) as well as caching settings can affect the time it sends
events to the CM.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Correlation & "Trust Event Source Time" issue


Here is the section from the Sentinel User manual that deals with the
limits of Real Time Correlation:

Sentinel’s correlation is near real-time and depends on the time stamp
of the individual events.
When an event arrives at the Correlation Engine, the engine reorders the
events in a buffer based on
the event time stamp (dt) field so that the events are evaluated in time
order. This is done partly to
evaluate sequence rules in which the rule only fires if events occur in
a specific order.

The buffer is 30 seconds long, so if the event time stamp (dt) is more
than 30 seconds older than the
Collector Manager time stamp, the event is not evaluated. To minimize
false time differences, you
must use an NTP (Network Time Protocol) server to synchronize the time
settings on the relevant
machines.


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46397

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Correlation & "Trust Event Source Time" issue


Yes.

I think the point here is that it seems very much like the reason the
correlation engine isn't evaluating those events is because they are
coming through delayed (or in the future) for some reason. Note that
this may be a timezone issue - if you have the wrong timezone set for
the source the events could be "shifted" in time incorrectly.

Make sure you carefully check all those settings and verify the et, det,
and dt fields for the received events from that source.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=46397

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.