Event Timestamp

h.parsons · ‎11-07-2005

I have an ASA-SSM (v5.x)with ntp running, I can do a sho clo and it has the correct time but the timestamps on my IPS events are way off.

marcabal · ‎11-07-2005

Verify that you have the correct timezone and summertime settings on the ASA-SSM.

Remember that the offset is in minutes so for example Central Standard Time (CST) that is -06:00 hours from GMT would be configured as -360 minutes.

When execute "show events" in the CLI you should see 2 different times for the event.

The first time is the GMT time of the event.

The second time is converted to the local timezone of the sensor.

Another thing to understand is that the event in the Native SDEE format will Only contan the GMT time. The Native SDEE format will also contain the offset and name of the local timezone so that a viewer can modify the event to show the local timezone.

The CLI was coded to show you the GMT, and also convert the time to the local timezone and show that as well.

BUT not all viewers may have implemented the ability to show you the events using local timezone of the sensor.

So I would suggest first checking the times in the sensor CLI's "show events" output, and then compare to the events in what ever event monitor you are using.

If you think "show events" is shoing the wrong time then can you paste in the following:

1) The portion of the output of "show conf" showing the timezone configuration on your sensor.

2) The output of "show clock".

3) And the output of "show events" taken immediately after the "show clock" so the events will have a time fairly close to when you did the "show clock".