|
Incorrectly configured system time can lead to a range of issues, including:
- Communication issues between nodes.
- Incorrect event received time.
Correctly configured time and time zone settings are critical to proper system operation and accurate logging. FortiSIEM should usually be configured to use NTP where possible.
The system should be set to UTC with the correct local time established by configuring the Time Zone.
This is configured when the system is first installed and should be configured before the network setup and system configuration is performed.
The time must be synchronized between nodes in a distributed system.
Time sync with NTP.
- Check the actual time.
date
- Check the active NTP servers
ntpq -pn
- Modify the configuration to get working servers.
vi /etc/ntp.conf
- Stop the NTP service to force time sync on the host.
service ntpd stop
- Update the time using ntpdate and check that the time is updated.
ntpdate -s time.google.com
date
- Restart the NTP service.
service ntpd start
Tip: VMware virtual machines sync their time with ESX host as default settings. The time is synced as 'bios clock time' so, even if the time is correctly set using NTP on the guest OS, it will revert to ESX host time in a few minutes.
Two possible solutions:
- Correct ESX Host time by syncing its time with NTP servers.
- Disable time syncing of virtual machines with ESX host.
Note: As of FortiSIEM 7.4.2, the following guide applies:
- Check the active NTP servers used by chronyd:
chronyc sources
- Modify the configuration to disable the default server 2.pool.rocky.ntp.org
chronyd vi /etc/chrony.conf
Use '#' to disable the default 2.pool.rocky.ntp.org.
- Add NTP server X.X.X.X (for example, 8.8.8.8 or other).
- Restart the chronyd service:
sudo systemctl restart chronyd.service
- Check service status:
systemctl status chronyd.service
- Verify used NTP servers by chronyd:
chronyc sources
|
