Security Analytics sends syslog CEF unix timestamp format < 13 digit

book

Article ID: 169043

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Security Analytics Syslog CEF format is as shown below.  The ending consists of a unix timestamp format that should contain 13 digits.

CEF:0|<OB_CEF_DEVICE_VENDOR>|<OB_CEF_DEVICE_PRODUCT>|<VERSION>|<OB_CEF_EVENT_ID_ALERT>|<OB_CEF_EVENT_NAME_ALERT>|<alert importance>|src=<ipv4_initiator> spt=<port_initiator> dst=<ipv4_responder> dpt=<port_responder> start=<UNIX timestamp> end=<UNIX timestamp> smac=<ethernet_initiator> dmac=<ethernet_responder> msg="Action: '<action name>' was triggered by Favorite: '<favorite name>'" 

Security Analytics is sending 12 digits, causing the display time to be in the 1970s. 

Cause

The timespec_to_string function fails to format the milliseconds portion of the timestamp in a fixed width. Statistically speaking, about ten percent of the "formatted timestamps" will be wrong or truncated. 

Resolution

The is fixed in Security Analytics version 7.2.x and greater.