[Snort-users] Time off in MySql database

Hutchinson, Andrew Andrew.Hutchinson at ...3639...
Thu Aug 29 06:21:03 EDT 2002


Not sure what OS you're running, but is it possible that the machines
are configured for different timezones?  I use redhat generally (please
direct all flames to /dev/null...), and you can check the timezone
configuration in /etc/sysconfig/clock.  They have a little ncurses app
called "timeconfig" that lets you change your config.  I'd check that
first.

Just as a suggestion (again, see above for flame redirection
instructions), I like to run all of my servers using UTC.  Once you get
used to the mental correction for local time, it makes things much
easier.  I don't ever have to adjust for Daylight Savings, and if I need
to tell somebody when an event took place, it is very easy - it doesn't
matter if they're in Abilene or Abu Dhabi, Zulu time is the same the
whole world 'round.

Andrew

-----Original Message-----
From: Chuck Curto [mailto:Chuck.Curto at ...3919...] 
Sent: Wednesday, August 28, 2002 10:26 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Time off in MySql database


I have many Snort sensors dumping their logs into one IDS manager. The
Snort sensors are on RedHat Linux computers and the IDS Manager is also
a RedHat Linux computer running Apache, MySql, and Acid. The time on all
the sensors and the manager are the same (I'm using NTP), and when I
bring up the main screen of Acid the "Queried on" date is correct.

The problem I'm having is when I open up any alert detail. The date and
time on the alerts are off and they're not all off the same amount. When
I look at the "data" table in MySql, the dates and times are off in
there. I know Acid is just showing what's in the MySql database but I
can't figure out why the date and time is off. I can't figure out if
it's the sensors or the IDS manager that's causing the problem but the
data isn't as useful to me if the date and time isn't correct.

Any suggestions?

Chuck


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-users mailing list