Carbon Black Cloud: Why is the incorrect time listed in the console?
Article ID: 287450
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why are sensor events report a future or past time in the Web Console?
- Example August 19 2022 when the event actually happened in July 5th 2022.
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Versions
Resolution
The sensor uses the time reported by the OS that is running the sensor to report the timestamp on events. If the system time is set incorrectly, the events in the console will reflect this time.
This can be verified by preforming one of the following.
This can be verified by preforming one of the following.
- The backend_timestamp in devtools shows the time the event was ingested by the backend. This can be used to review the sensor logs to see if the timestamps around that time changed unexpectedly (e.g. went backwards, went way into the future).
- For Security Logs "Filter Current Log..." for Event ID 4616 (Source = Microsoft-Windows-Time-Service)
- For System Logs "Filter Current Log..." for Event ID 52 (Source = Time-Service), Event ID 129 (Source = Time-Service) and/or Event ID 1 (Source = Kernel-General)
Additional Information
For physical systems a bad CMOS battery could cause the systems to be boot with incorrect time, most OS's will attempt to connect to a NTP server and adjust the time. The logs written before the time was updated by the NTP Server will be uploaded to the console causing the confusion.
Feedback
Yes
No
Powered by
