Timezone

Question

Timezone

Closed this issue 13 years ago · 2 comments

So...I know this is a timezone issue. I'm not able to run in UTC. So...I'm wondering where/what I need to do to get things on the same page. SQueRT reports:

Last Event: 11-09-30 11:09:39 (5.99 hours ago)

So I know something thinks it's GMT...question is what thinks that? Barnyard2? Sguild? The snort_agent? Need some guidance as I just can't seem to find it. Thank you.

James

Answer 1 · 2011-10-05T11:53:53.000Z

Are you looking to display the events in localtime or UTC?

What are the timestamps in sguil?

mysql> SELECT MAX(timestamp) FROM event;

Answer 2 · 2011-10-05T12:06:27.000Z

Howdy Paul.

Well..it's been a bit of a challenge, but I think I got it fixed. I
changed my system time to UTC, gave barnyard2 a "config utc", and
restarted everything. So here's what I have:

mysql> select now();
+---------------------+
| now() |
+---------------------+
| 2011-10-05 05:58:34 |
+---------------------+
1 row in set (0.00 sec)

mysql> SELECT MAX(timestamp) FROM event;
+---------------------+
| MAX(timestamp) |
+---------------------+
| 2011-10-05 04:57:22 |
+---------------------+
1 row in set (0.00 sec)

05:59:38 gateway:$ date
Wed Oct 5 05:59:39 UTC 2011
05:59:39 gateway:$ sudo hwclock
Wed 05 Oct 2011 05:59:53 AM UTC -0.172288 seconds

SQueRT shows:

Report Period:

Between Wednesday Oct 5, 2011 00:00:00 and Wednesday Oct 5, 2011 23:59:59
(1 day)

Report Filter(s):

Distinct Event(s):

4

Total Event(s):

6

Last Event:

11-10-05 04:57:22 (1.04 hours ago)

Query Time:

0.001 seconds

So I think all is good. My last issue, which I was going to fire out to
the snort group today, is how in the WORLD do you get NTP to work with
this. From what I understand, I've just told my machine that it's in UTC
time, but then set the clock to my current time, which is no longer UTC
time. Do I just tell NTP to use my time zone? For home it's not a big
deal, but for work....NTP is a requirement. This seems like no longer a
snort/squil/squert issue though...more of a linux/ntp thing. Thanks
Paul...sidenote, really need a method to modify the database....in order
to clean the test data out I had to completely redo the db...a real pain
;) I'll put in a request on the squil support as well. Thanks again
Paul....I'm now using squert and sguil exclusively at work...BASE is about
to go bye bye :)

James

On 10/5/11 5:53 AM, "Paul Halliday"
reply@reply.github.com
wrote:

Are you looking to display the events in localtime or UTC?

What are the timestamps in sguil?

mysql> SELECT MAX(timestamp) FROM event;

Reply to this email directly or view it on GitHub:
https://github.com/SQueRT/squert/issues/19#issuecomment-2297086