Timestamp for Windows events

Roberto_Del · 10-24-2023 07:31 AM

Hello everyone, my windows servers are sending DNS debug logs and NPS debug logs from the corresponding files, using NXLog im_file module. When I send the log to Chronicle SIEM, the parser works good but there is one issue.

The timezone configured on the Windows servers is CET (+02:00), while Chronicle parses the timestam as UTC. So my logs don't show up on chronicle portal until 2 hours from ingestion, and when they show, they have a wrong timestamp.

Do I need to change the timezone on my server or is there another way to make Chronicle use the right Timezone?

Maybe even using NXLog.

Thank you

manthavish

Hi Roberto,

If possible, it would be recommended to configure the time zone to UTC on the server. This recommendation is documented here.

Thanks,

Mantha

Roberto_Del

Is there any other solution?

manthavish

Hi Roberto,

You can try to use parser extensions to see if that helps.

SecEng-Tom

Does the raw log in Chronicle include a timezone or time offset?

Assuming that you are using the community edition since the NXLog Enterprise Edition supports DNS logging via ETW providers (Collect logs from Windows DNS Server | NXLog Docs).

maxjunker

We are facing timestamps in the future, which is a huge problem.
What is the recommended approach, if a data source cannot be configured to UTC? Writing a parser extension for every log source type can´t be a feasible solution.

SecEng-Tom

Hi Max,

Each log should ideally have a timezone (E.g., 2024-04-05T09:00:00 GMT) or offset (e.g., 2024-04-05T09:00:00 +01:00).

As far as I know, if you aren't able to provide either of the above, you'll have to make changes to the parser to accommodate this.