Open topic with navigation

Time Stamps in Logger

Events consist of a receipt time, event time, a source (host name or IP address), and an un-parsed message portion. The following are the most common time stamps in Logger events:

• End Time is the time at which the activity related to the event ended.
• Logger Receipt Time is the time the events are written to the Storage Group (disk). All events are timestamped with the receipt time when received on the Logger.

Guidelines

• Logger uses the receipt time field to find matching events when forwarding as well as for storage retention and archives.
• The Logger receipt time is used to analyze the forwarded events to a destination where the forwarder filter specifies a time range.
• Logger uses the receipt time of an event to determine its archival day.
• Search results are sorted based on the search time field selected.
• The histogram is based on the search time field selected.
• The default fields are automatically indexed. For the remaining fields, Logger uses the receipt time of an event and the time when a field was added to the index to determine whether that event will be indexed. If the receipt time of the event is equal to or later than the time when the field was added to the index, the event is indexed; otherwise, it is not.

You may see several other time stamps in Logger events like the following:

• Agent Receipt Time is the time the Connector received the event. Logger does not use this field but you can search it.
• Device Receipt Time is the time the event related to the activity was received. Logger uses this field as backup when executing search based on even time if end time is not present in the CEF event.
• Event Time is the original time of the event on the device. Logger uses this field as default when executing search based on event time.
• Manager Receipt Time is the time the ESM received the event. Logger does not use this field, but you can search it.

See Also