Version

Argent Advanced Technology 3.1A-1601-C or earlier

Date

Monday, 18 April 2016

Summary

If Supervising Engine and target server are not in the same time zone, when Engine runs Windows File Log Rule or UNIX/Linux Log Rule against the target machine, the Event time of fired Event or archived log will have minute difference between Engine and target server

If target server resides in a time zone ahead of Engine, Events with Event time in the future will be resulted

For example, Main Engine is in California (UTC-08:00) and target server is in NYC (UTC-05:00)

Main Engine monitors target server directly

A log entry of 10 am EST matches criteria, and an Event is fired

The Event will show up in Argent Console (A1x) as 10 am, though the current time is 7am locally

Things can become even more confusing if the target server is monitored by Daughter Engine, and Mother Engine, Daughter Engine and target server are all in different time zone

For example, Main Engine is California (UTC-08:00), Daughter Engine is in Chicago (UTC-06:00), and target server is in NYC (UTC-05:00)

A log entry of 10 am EST matches criteria, and an Event is fired

The Event will show up in Argent Console (A1x) as 9 am, though the current time is 7am locally (California)

The issue has been addressed in Argent AT 3.1A-1601-T8

All the Event times now always converted to UTC time internally, and displayed using time zone of Mother Engine

Windows Event Log APIs always use UTC time for Event time

Technical Background

It is caused by design error

The time difference between Engine and target server is not considered when scanning Windows or UNIX/Linux file log, though the time difference between Mother and Daughter Engine is accounted for

Resolution

Upgrade to Argent AT 3.1A-1601-T8 or later