Hi gents,
Just came back from a customer intervention over their Firepower, having an issue with the timestamps on syslog messages.
We've essentially forwarded both policy logs and platform events over to an external linux collector for a splunk to pick it all up and deal.
Timestamps show up over the collector with a 2hr diference that we're unable to figure out.
* All syslog messages generated out of policy logs are sent out in UTC (documentation is clear on this point).
* All syslog messages for firewall events (ha, config, system, ...) are sent out in local time (+2hr).
Platform versions and config as well as what has been tried out:
FMC VMWARE 6.3.0.2
NTP is set to sync from their Domain Controller but there's an advisory message saying this is unsupported on 4000 series.
Under User preferences, Timezone Preference is set to EU/Madrid. Changing to UTC caused no effect on platform syslog messages, same 2 hr difference.
Syslog is enabled under Platform Settings and sending out all Warning messages to the linux box.
At syslog settings enabled "Enable Timestamp on each syslog message", left Facility at the default Local4(20). Made no difference.
Syslog is enabled for policy log forwarding. At "Send Connection Events to", there are two options, first uses any Syslog server specified right on the spot, and second, for platforms 6.3 and above it allows to override with the main platform configured syslog. Tried all options, one by one and together with no effect in the 2hr difference.
CHASSIS 4140 ver 2.6.1.131
NTP in both Active/Standby units is set to sync up with a Domain Controller. Timezone there is local EU/Madrid.
So some questions arise here, why are these two syslog messages not all in UTC?
If the platform-specific syslog is picking the time somewhere else, is it picking it from the external NTP server configured at the Chassis?
Both platform event syslog and policy log syslog were enabled only at the FMC, why this time difference and how to fix it?
Any thoughts?
Thanks for your support.
