Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA] Event details and the difference between Start Time, Storage Time, and Log Source Time

0

0
Article ID: KB35159 KB Last Updated: 23 Oct 2019Version: 1.0 Summary:

This article differentiates between the Start Time, Storage Time, and Log Source Time parameters on the Event Information page in Juniper Secure Analytics (JSA).

Cause:

JSA displays three timestamp fields when users view the details of an event. These three timestamps can have different values depending on where the data originates, when the data arrives, and when it is written to disk in JSA.

The timestamp values that are seen in the UI are demonstrated in the following sample log event (UI_COMMIT_PROGRESS) as sent by Log Source to JSA:

As shown in the example above, there is approximately a one-minute delay between when the remote syslog event "UI_COMMIT_PROGRESS" occurred in the log source and when JSA received the event, as represented by the Log Source Time and Start Time, respectively.

Solution:

The parameters are explained as follows:

  • Start Time

Start Time in an event record represents the time at which the event arrived in the JSA appliance/VM. When an event arrives in the Event Pipeline, an object is created in memory, and the Start Time is set to that time.

Note: In JSA version 7.3.1 and later, the Start Time begins after the EC-ECS Ingress component of the Event Pipeline.

  • Storage Time

Storage Time refers to the time when data is written out to disk by the Ariel component at the end of the Event Pipeline. This can be useful for determining whether the Event Pipeline is backed up, for performance or licensing reasons. When investigating events delayed in the pipeline, or messages about licensing or dropped events due to licensing, you can look at the start timestamps and storage timestamps to see how far apart they are. This will give an indication of how delayed the pipeline may be.

  • Log Source Time

Log Source Time is pulled from the event payload itself after the system has parsed the event. The Log Source Time that is available in the syslog header is the value that is used. However, for some Log Sources, such as Windows logs that have a MessageTime field in the body of the payload, or in the Message= area of the payload, we might convert an epoch timestamp into a time, and then store that into the Log Source Time, overriding what is in the syslog header field.

Note:

  • If no time is available at all in the payload, then the Log Source Time field is populated with the same value as the Start Time.
  • If an event includes a time zone, then we adjust the Log Source Time to account for the time zone change.

Example

If an event includes a time zone that is GMT+8 to the Console, the Log Source Time should be listed as GMT-8 from the timestamp in the event payload. This is so that users can understand when the event occurred based on the Console time.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search