cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inaccurate TimeGenerated value in CommonSecurityLog

ahhann
Copper Contributor

‎Dec 05 2023 06:42 AM

‎Dec 05 2023 06:42 AM

Inaccurate TimeGenerated value in CommonSecurityLog

Hi,

I'm facing a weird issue where TimeGenerated value is inaccurate when we use the query condition | where TimeGenerated >= ago()

 

See here:

ahhann_0-1701786994978.png

As you can see above, the time is in future time compared to my local time at the right bottom.

 

But if i use | where TimeGenerated between()

or if i use the portal GUI Time Range, it able to return the correct TimeGenerated value:

ahhann_1-1701787082903.pngahhann_2-1701787097625.png

 

We notice this issue after the Linux Log Relay server timezone was changed from JST to UTC, then changed back to JST again.

The server has been rebooted 3 times, which i believe the rsyslog and the ama services would take effect on the changes of timezone as well.

 

Urgently need advise on this as it will certainly disrupt our Analytic Rule as well as Hunting query.

 

Labels:
493 Views
0 Likes
2 Replies
Reply
2 Replies
BillClarksonAntill

‎Dec 08 2023 12:21 PM

‎Dec 08 2023 12:21 PM

Re: Inaccurate TimeGenerated value in CommonSecurityLog

Hey @ahhann 

 

Check out this link here

 

Sounds like something has happened on the Log forwarder, this should correct the issue

0 Likes
Reply
ahhann

‎Dec 10 2023 01:00 AM

‎Dec 10 2023 01:00 AM

Re: Inaccurate TimeGenerated value in CommonSecurityLog

@BillClarksonAntill We using AMA. The link you posted was for legacy LAA.

 

Any way issue was resolved after the Log Relay Server where the AMA was installed is rotated and started fresh without any localtime under UTC.

0 Likes
Reply