How time conversion works in EventLog Analyzer
Objective
This article explains how time conversion is handled in EventLog Analyzer while accessing log data when the EventLog Analyzer server and endpoint devices operate in different time zones. It also provides guidance on how to identify and troubleshoot timezone discrepancies between the server, log sources, and the user's browser.
Pre-requisites
Before troubleshooting or adjusting timezone settings, collect the following details:
- The timezone of the EventLog Analyzer server.
- The timezone configured on device in EventLog Analyzer for which the concern arises.
- The timezone of the browser/machine from which EventLog Analyzer user interface is being accessed.
Accurate identification of these timezones is essential for validating the time differences shown in:
- The Last Message Time in Device Management
- The Search tab
- The Reports tab
- The Alerts tab
Understanding time conversion
Case 1: Eventlog Analyzer and endpoint devices in different timezones
In this case, we'll explain how logs are processed in EventLog Analyzer when the server and endpoint devices operate in different timezones. It details how time zone settings affect log collection, storage, and display within the Eventlog Analyzer Console.
For instance, we can consider the following scenario where:
1. Syslogs are forwarded from a device set to UTC -11:00.
2. The EventLog Analyzer server operates in GMT +5:30 (e.g., IST).
3. The syslog device's timezone is correctly updated in EventLog Analyzer to reflect UTC -11:00.
How this works in Eventlog Analyzer
1. Log display in the Eventlog Analyzer Console
In the Device Management tab → under the Last Message Time column, Search tab, and Reports tab, syslogs appear as 16.5 hours ahead of the original timestamp.
This is calculated as:
EventLog Analyzer timezone (GMT +5:30) - Device timezone (UTC -11:00) = +16.5 hours
2. Log storage (ElasticSearch)
Regardless of the source or destination timezone, logs are stored in GMT timezone in the backend (ElasticSearch).
When logs are retrieved, they are displayed according to the timezone of the user.
In conclusion, the log timestamps displayed in EventLog Analyzer are adjusted based on the timezone of the accessing user, not necessarily the device or server. Even though logs are stored in GMT, the EventLog Analyzer console reflects the local timezone of the interface from which the logs are viewed.
Case 2: What to do if there are time discrepancies in logs when EventLog Analyzer and endpoint devices share the same timezone
Even when both EventLog Analyzer and the endpoint devices are configured to the same timezone, discrepancies in displayed log timestamps may still occur. These inconsistencies are often due to mismatched timezone settings across the server, devices, and the browser used to access EventLog Analyzer.
Possible causes
Time discrepancies can arise due to:
- Incorrect or outdated timezone settings on the device.
- Improper timezone configuration within EventLog Analyzer for the log source.
- Browser or client system timezone differing from the server/device timezone.
Resolution steps
Step 1: Verify timezone settings on all components
Ensure the following timezones are consistent:
- EventLog Analyzer server timezone
- Log source (Windows/Syslog device) system timezone
- User browser/client system timezone
Step 2: Update device timezone in EventLog Analyzer
If the device timezone is misconfigured in EventLog Analyzer, follow these steps to correct it:
- Navigate to Settings > Log Source Configuration > Devices > Windows/Syslog Devices.
- Click Update Device for the relevant entry.
- Select Advanced Settings.
- Choose and apply the correct Device Timezone to match the actual device/system timezone.
Reference screenshot:
Step 3: Cross-Check Browser/System Timezone
- On the local system accessing ELA, verify that the timezone matches the expected one.
- This affects how logs are displayed in the ELA console interface, especially in tabs like:
- Search
- Reports
- Alerts
- Device Management → Last Message Time
Tips
- Configure the device timezone in EventLog Analyzer to match the log source during setup.
- Verify OS time and timezone on both the EventLog Analyzer server and endpoint devices before updating settings.
- Use known event timestamps from EventLog Analyzer to confirm log time accuracy.
- Ensure Daylight Saving Time (DST) adjustments are consistent across all systems and the EventLog Analyzer server.
Related Articles
New to ADSelfService Plus?
Related Articles
Introduction to EventLog Analyzer
What is log management? An enterprise network consists of different entities—perimeter devices, workstations, servers, applications, and more. Each entity records every activity that unfolds within it in the form of logs. These logs hold information ...Error: Time delay in exporting reports from EventLog Analyzer
Issue description Users might experience significant delays when exporting large volumes of report data from EventLog Analyzer, particularly during manual or bulk exports via the web interface. This article offers resolutions for this experience. ...Enabling historic log collection in EventLog Analyzer
EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below: Navigate ...Troubleshooting guide: EventLog Analyzer UI is unresponsive
Overview This document outlines the common causes and recommended steps to resolve the issue when the EventLog Analyzer UI becomes unresponsive. Possible causes Insufficient system resources High CPU or memory usage on the server. Low disk space in ...Unable to login to EventLog Analyzer
Issue description Users are unable to log in to the EventLog Analyzer web console due to issues such as incorrect credentials, improper authentication method selection, unsynced domain accounts, or browser-related problems. This article provides a ...