SOLVED
Home

Syslog data connectors and local time zones

%3CLINGO-SUB%20id%3D%22lingo-sub-1004946%22%20slang%3D%22en-US%22%3ESyslog%20data%20connectors%20and%20local%20time%20zones%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1004946%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20of%20adding%20a%20local%20time%20zone%20to%20a%20syslog%20data%20connector%20to%20ensure%20Azure%20Sentinel%20is%20using%20the%20correct%20time%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20the%20Linux%20agent%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-syslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-syslog%3C%2FA%3E%26nbsp%3Bdo%20UTC%20conversion%20or%20tag%20the%20event%20with%20the%20local%20timezone%20data%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005443%22%20slang%3D%22en-US%22%3ERe%3A%20Syslog%20data%20connectors%20and%20local%20time%20zones%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005443%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F406648%22%20target%3D%22_blank%22%3E%40JMROWE%3C%2FA%3E%26nbsp%3BThe%20agent%20doesn't%20do%20any%20translation%20so%20you%20would%20need%20to%20either%20do%20this%20on%20the%20Linux%20server%20before%20the%20syslog%20agent%20acquires%20it%2C%20use%20something%20like%20logstash%20on%20the%20Linux%20box%20to%20add%20a%20new%20column%20with%20the%20location%20time%2C%20or%20add%20a%20new%20column%20for%20local%20time%20when%20performing%20your%20query.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20page%20has%20more%20on%20using%20KQL%20to%20perform%20operations%20on%20dates%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Fdatetime-timespan-arithmetic%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Fdatetime-timespan-arithmetic%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005459%22%20slang%3D%22en-US%22%3ERE%3A%20Syslog%20data%20connectors%20and%20local%20time%20zones%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005459%22%20slang%3D%22en-US%22%3EBTW%2C%20when%20you%20perform%20queries%20in%20the%20Logs%20page%2C%20you%20can%20change%20the%20time%20that%20gets%20displayed%20to%20your%20local%20time.%20On%20the%20far%20side%20of%20the%20screen%20where%20the%20results%20are%20shown%20is%20a%20drop%20down%20to%20change%20how%20the%20time%20is%20displayed.%3C%2FLINGO-BODY%3E
JMROWE
Regular Visitor

Is there a way of adding a local time zone to a syslog data connector to ensure Azure Sentinel is using the correct time?

 

Can the Linux agent https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog do UTC conversion or tag the event with the local timezone data?

 

2 Replies
Solution

@JMROWE The agent doesn't do any translation so you would need to either do this on the Linux server before the syslog agent acquires it, use something like logstash on the Linux box to add a new column with the location time, or add a new column for local time when performing your query.

 

This page has more on using KQL to perform operations on dates

https://docs.microsoft.com/en-us/azure/kusto/query/datetime-timespan-arithmetic

BTW, when you perform queries in the Logs page, you can change the time that gets displayed to your local time. On the far side of the screen where the results are shown is a drop down to change how the time is displayed.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies