-
Notifications
You must be signed in to change notification settings - Fork 521
TimeZones
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/TimeZones.
When you run Security Onion Setup, it sets the timezone to UTC/GMT because that is the recommended/required setting for Sguil:
http://osdir.com/ml/security.sguil.general/2008-09/msg00003.html
https://forums.snort.org/forums/linux/topics/barnyard-sguil-time-problem
Trying to use a non-UTC timezone can result in the following:
- Time zones that have daylight saving time have a one-hour time warp twice a year. This manifests itself in Sguil not being able to pull transcripts for events within that one-hour time period. This is avoided by using UTC, since there is no daylight saving time.
- Something similar can happen on a daily basis under certain conditions. If there is a discrepancy between the OS timezone and the Sguil UTC settings, then Sguil will be unable to pull transcripts for events in a window of time around midnight coinciding with the timezone's offset from UTC.
Additionally, UTC comes in quite handy when you have sensors in different time zones and/or are trying to correlate events with other systems or teams.
Squert and Kibana allow you to render event timestamps in your local timezone. ELSA by default will render timestamps in the timezone of your local browser (more info below) and Squert allows you to change your timezone.
When you run our Setup wizard, it should automatically set your timezone to UTC. If you've already run Setup and then manually changed your timezone to non-UTC and would like to switch back to UTC, you can execute sudo dpkg-reconfigure tzdata
. Scroll to the bottom of the Continents list and select None of the above
. In the second list, select UTC
. (http://askubuntu.com/questions/138423/how-do-i-change-my-timezone-to-utc-gmt)
- click the time interval (labeled INTERVAL)
- on the right side, click the two arrows pointing right
- de-select UTC
- set your timezone offset (labeled TZ OFFSET)
- click the "save TZ" button
By default, Kibana will display timestamps in the timezone of your local browser. You can force Kibana to always display timestamps in UTC/GMT by setting dateFormat:tz to UTC
in Kibana (Management > Advanced Settings) .
By default, ELSA will display timestamps in the timezone of your local browser. You can force ELSA to always display timestamps in UTC/GMT by configuring the use_utc
setting in your ELSA Preferences panel.
Known issue in ELSA 713 (old ELSA package): If you access ELSA from a browser whose local timezone is not UTC and you haven't enabled the use_utc setting in your ELSA Preferences, then each search rolls the From time back the same number of hours as the UTC offset. For example, suppose you login to ELSA and notice that the From defaults to 2013-05-05 18:01:50. When you then perform a search, the From changes to 2013-05-05 14:01:50.
The workaround is to enable the use_utc setting in your ELSA
Preferences (which is probably a good idea anyway to ensure that your
timestamps in ELSA match your timestamps in Sguil/Squert):
- Navigate to ELSA -> Preferences:
2. Select Actions -> Add New Preference:
3. Enter the following into the new Preference:
Type = default_settings
Name = use_utc
Value = 1
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs