Syslog Server showing wrong time in messages, UTC instead of IST
dp8
Newbie ✭
Current NTP Server : ntp.cais.rnp.br
above is what TSR is showing.
This DNS is resolving IP of Brazil, which is blocked in Geo-IP.
Neither have I configured any NTP Server on the firewall, nor do I have any on-premises.
We have tried with multiple Third-party software, but because the firewall shows "Current NTP Server: ntp.cais.rnp.br", all the software shows the same Timing on the report.
Can anybody guide me with the solution please, it would be highly appreciated.
Firewall- TZ-500
Firmware- 6.5.4.14
Syslog Server- Third party
Category: Firewall Management and Analytics
0
Answers
@DP8 what are your setting at Mange → Appliance → System Time
Time Zone is set to your local Zone?
Did you enabled "Display UTC in logs (instead of local time)", which what cause what you described.
—Michael@BWC
Hey @BWC ,
Thanks for instant reply.
please find the settings below.
#System : Time_START
Time Zone : "India (GMT+5:30)"
Use NTP : yes
Use DST : no
Use UTC In Log : no
Use International Format : no
Only Use Custom NTP Server: no
NTP Update Interval : 60 minutes
Custom NTP Server List :
Current NTP Server : ntp.cais.rnp.br
#System : Time_END
@dp8 why do you have ntp.cais.mp.br in your config if Brazil is blocked? System time on your appliance is correct or already drifted? You should configure a valid NTP server from which you know it's working.
I checked my config and local time is properly reported to syslog.
—Michael@BWC
You are very right, @BWC you got the point.
That is the problem I have not configured anything on the firewall and even Brazil is blocked, but still it shows like that in TSR.
The System Time is correct and no any problem with that its only with the syslog server, and I want to change what TSR shows, The Current NTP Server.
From where I can make changes which affect that field on TSR.
@DP8 custom NTP Servers are configured at Manage → Appliance → System Time and enable " Only use custom NTP servers".
I deleted all of my custom NTP servers and TSR still shows one.
Best way is probably to define a valid NTP server for that location.
—Michael@BWC
#System : Time_START
Time Zone : "India (GMT+5:30)"
Use NTP : yes
Use DST : no
Use UTC In Log : no
Use International Format : no
Only Use Custom NTP Server: yes
NTP Update Interval : 60 minutes
Custom NTP Server List :
Auth Type : NULL
Current NTP Server : ntp.cais.rnp.br
#System : Time_END
@BWC
See above is the settings after changes I made, and still it shows the same "ntp.cais.rnp.br" as a current NTP Server in TSR.
I didnt understand this Line "Best way is probably to define a valid NTP server for that location.".
Or is there any option "Diag page" which may help in this case?
@DP8 if 192.168.99.236 is a functioning NTP server you should be good. It seems that "Current NTP Server" in the TSR is the last one the appliance tried to connect to. Check again after your interval of 60 Minutes is past.
—Michael@BWC
Good Morning,
Yes @BWC, I have tried that but that also doesn't help. so we talked to the Sonicwall Support team.
they are also checking but not getting the solution.
stuck in this case, any help would be appreciated…
Btw, thanks MR.Michael, for showing interest in providing the solution at your best.
@dp8 I changed the TimeZone on a Gen6 with 6.5.4.14 to India and the syslog reflects the change.
The first timestamp (CEST) is added by my syslog but the time= value comes from the Firewall.
<local0.info>2024-05-15T06:43:28.946338+02:00 shield.bwc.internal id=shield sn=xxxxxxxxx time="2024-05-15 10:13:28" fw=24.xxx.xxx.xxx7 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=10.x.x.x:54581:X12 dst=10.x.x.x:80:X12 usr="admin" proto=udp/http sent=46 spkt=1 sess="Web" app=49176 appName='General HTTP MGMT' n=15150425 fw_action="NA" dpi=0
IMHO the NTP server returns a time in UTC and the TimeZone representation is done on the SNWL or the syslog server.
—Michael@BWC