Troubleshooting
Problem
Guardium events forwarded through remote syslog process do not include timezone information, events not showing up under appropriate time filter in your SIEM, or event time displayed in SIEM is few hours off .
Symptom
You may notice Guardium events not showing up under appropriate time filter in your SIEM even though the payload has the correct time. Or you may notice the event time displayed in SIEM is few hours in the past or future than the event time stated in the payload.
Cause
Out of the box Guardium appliance use RSYSLOG_TraditionalFileFormat template to write timestamp. This uses default log file format with low-precision timestamps and does not include timezone information. As a result your SIEM may use a different timezone misrepresenting the event time.
Resolving The Problem
Guardium appliance syslog daemon needs to be configured to use RSYSLOG_FileFormat template for timestamp. This is a modern-style logfile format similar to TraditionalFileFormat, but with high-precision timestamps and timezone information.
Syslog output this with RSYSLOG_TraditionalFileFormat
Feb 26 13:51:41 <hostname> init: ttyS1 (/dev/ttyS1) main process ended, respawning
Feb 26 13:51:41 <hostname> init: ttyS0 (/dev/ttyS0) main process (6463) terminated with status 1
Syslog output with RSYSLOG_FileFormat
2018-02-26T13:52:01.804018-05:00 <hostname> init: ttyS1 (/dev/ttyS1) main process (6582) terminated with status 1
2018-02-26T13:52:01.804079-05:00 <hostname> init: ttyS1 (/dev/ttyS1) main process ended, respawning
Please contact IBM Support to have this changed, and reference this article.
Syslog output this with RSYSLOG_TraditionalFileFormat
Feb 26 13:51:41 <hostname> init: ttyS1 (/dev/ttyS1) main process ended, respawning
Feb 26 13:51:41 <hostname> init: ttyS0 (/dev/ttyS0) main process (6463) terminated with status 1
Syslog output with RSYSLOG_FileFormat
2018-02-26T13:52:01.804018-05:00 <hostname> init: ttyS1 (/dev/ttyS1) main process (6582) terminated with status 1
2018-02-26T13:52:01.804079-05:00 <hostname> init: ttyS1 (/dev/ttyS1) main process ended, respawning
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Appliances","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.1;10.1.3;10.1.4;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
19 November 2019
UID
swg22014061