The Correlation Engine processes time-ordered streams of events and detects patterns within events as well as temporal patterns in the stream. However, sometimes the device generating the event might not include the time in its log messages.
To configure time to work correctly with Sentinel, you have two options:
Configure NTP on the Collector Manager and deselect Trust Event Source Time on the event source in the Event Source Manager. Sentinel uses the Collector Manager as the time source for the events.
Select Trust Event Source Time on the event source in Event Source Manager. Sentinel uses the time from the log message as the correct time.
To change this setting on the event source:
Log in to Event Source Management.
For more information, see Accessing Event Source Management
in the Sentinel Administration Guide.
Right-click the event source you want to change the time setting for, then select Edit.
Select or deselect the Trust Event Source option on the bottom of the General tab.
Click OK to save the change.