Symantec Endpoint Protection Manager Notification Emails Display all Event Times in GMT
|Article:TECH122848|||||Created: 2010-01-29|||||Updated: 2013-04-09|||||Article URL http://www.symantec.com/docs/TECH122848|
The Symantec Endpoint Protection Manager (SEPM) can be configured to generate custom notifications based on a variety of criteria (such as the "Single Risk Event" notification). If an email alert is configured for such a notification, the email contents show that the event is being logged in GMT (Greenwich Mean Time).
A variety of Notifications can be configured within the SEPM Monitors tab. These notifications can optionally be configured to be sent by email to one or more email addresses in addition to triggering other events and being written into the database. If the notification is configured to trigger an email alert, the event data contained within the text of the alert will be logged in GMT rather than the local time of the SEPM.
The SEPM logs all events using UTC (Coordinated Universal Time), also known as GMT (Greenwich Mean Time). This enables all of the events to be normalized, allowing for SEP clients from multiple time-zones to forward their events to the same SEPM and for all of these events to be correctly tracked and coordinated. When Notifications are configured for specific event criteria, these notifications are generated and stored within the database, based on the UTC/GMT data (the client data is converted to UTC before being written into the database). Consequently, if the administrator configures an email alert based on the notification, the text of the email alert will show the event time in UTC (GMT). However, if the administrator logs into the SEPM and view the same event via the Reports interface, the SEPM will automatically convert the timestamp of the event to match the local time configuration of the SEPM. Thus a SEPM configured to be in Pacific Standard Time (GMT -8) will log all events using UTC/GMT, but will display them as PST (GMT -8).
This is expected behavior; no action or intervention is necessary
An example of a notification email:
- From: "SYSTEM@servername.com"
Subject: Single Risk Event
Server name: servername
Server IP: 10.0.0.1
At least one security risk found:
Risk name: Hydra.1
File path: C:\Documents and Settings\username\Desktop\HYDRA.COM
Event time: 2010-01-29 13:43:50 GMT
Database insert time: 2010-01-29 13:45:17 GMT
IP Address: 10.0.0.2
Client Group: My Company\Default Group
Action taken on risk: Cleaned
Article URL http://www.symantec.com/docs/TECH122848