Symantec Endpoint Protection Manager Notification Emails Display all Event Times in GMT

Article:TECH122848  |  Created: 2010-01-29  |  Updated: 2013-04-09  |  Article URL http://www.symantec.com/docs/TECH122848
Article Type
Technical Solution


Issue



The Symantec Endpoint Protection Manager (SEPM) can be configured to generate custom notifications based on a variety of criteria (such as the "Single Risk Event" notification). If an email alert is configured for such a notification, the email contents show that the event is being logged in GMT (Greenwich Mean Time).

Symptoms
A variety of Notifications can be configured within the SEPM Monitors tab. These notifications can optionally be configured to be sent by email to one or more email addresses in addition to triggering other events and being written into the database. If the notification is configured to trigger an email alert, the event data contained within the text of the alert will be logged in GMT rather than the local time of the SEPM.

 


Cause



The SEPM logs all events using UTC (Coordinated Universal Time), also known as GMT (Greenwich Mean Time). This enables all of the events to be normalized, allowing for SEP clients from multiple time-zones to forward their events to the same SEPM and for all of these events to be correctly tracked and coordinated. When Notifications are configured for specific event criteria, these notifications are generated and stored within the database, based on the UTC/GMT data (the client data is converted to UTC before being written into the database). Consequently, if the administrator configures an email alert based on the notification, the text of the email alert will show the event time in UTC (GMT). However, if the administrator logs into the SEPM and view the same event via the Reports interface, the SEPM will automatically convert the timestamp of the event to match the local time configuration of the SEPM. Thus a SEPM configured to be in Pacific Standard Time (GMT -8) will log all events using UTC/GMT, but will display them as PST (GMT -8).


Solution



This is expected behavior; no action or intervention is necessary



Technical Information
An example of a notification email:

 

    From: "SYSTEM@servername.com"
    To: securityadmin
    Date:
    Subject: Single Risk Event

    Message from:
    Server name: servername
    Server IP: 10.0.0.1

    At least one security risk found:

    Risk name: Hydra.1
    File path: C:\Documents and Settings\username\Desktop\HYDRA.COM
    Event time: 2010-01-29 13:43:50 GMT
    Database insert time: 2010-01-29 13:45:17 GMT
    User: username
    Computer: computername
    IP Address: 10.0.0.2
    Domain: Default
    Server: servername
    Client Group: My Company\Default Group
    Action taken on risk: Cleaned

 




Legacy ID



2010012915495548


Article URL http://www.symantec.com/docs/TECH122848


Terms of use for this information are found in Legal Notices