Forum Discussion
Inaccurate TimeGenerated value in CommonSecurityLog
Hi,
I'm facing a weird issue where TimeGenerated value is inaccurate when we use the query condition | where TimeGenerated >= ago()
See here:
As you can see above, the time is in future time compared to my local time at the right bottom.
But if i use | where TimeGenerated between()
or if i use the portal GUI Time Range, it able to return the correct TimeGenerated value:
We notice this issue after the Linux Log Relay server timezone was changed from JST to UTC, then changed back to JST again.
The server has been rebooted 3 times, which i believe the rsyslog and the ama services would take effect on the changes of timezone as well.
Urgently need advise on this as it will certainly disrupt our Analytic Rule as well as Hunting query.
2 Replies
Hey ahhann
Check out this link https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format#:~:text=Changing%20the%20source%20of%20the%20TimeGenerated%20field
Sounds like something has happened on the Log forwarder, this should correct the issue
BillClarksonAntill We using AMA. The link you posted was for legacy LAA.
Any way issue was resolved after the Log Relay Server where the AMA was installed is rotated and started fresh without any localtime under UTC.
