Skip to content
  • There are no suggestions because the search field is empty.

How to setup and troubleshoot NTP in RSA Security Analytics

Issue

How to setup and troubleshoot NTP in RSA Security Analytics.
How to setup and troubleshoot NTP on a NetWitness appliance via SSH.

Resolution

It is strongly recommended that all systems in the Security Analytics suite be synchronized using a network time source so that all devices accurately depict the same time. If this is not done then the time on the devices can get out of sync causing queries for a specific time to not return the expected results.

 

How to change NTP server or set one from cmd line:

Edit /etc/ntp.conf, and locate the server line.

The server address that appears on this line is the current time server.

-You can change it to a different IP address or the FQDN of an NTP server.

-You may specify more than one NTP server, and the local host uses the first available NTP server in the list.

-If only one server line occurs in the file and the line is commented with an example, then no NTP server is specified.

-You can add lines after the commented line. 

 

For example:

# server mytrustedtimeserverip

server tick.example.com

server tock.example.com

server ntp2.example.com

 

Note: If your environment has firewalls, ensure that the Appliance can accept UDP packets on port 123.

 

Enable the NTPD service to start on reboot, and restart the NTPD service for the change to take effect. Run the following commands:

[root@appliance-name /]# /sbin/chkconfig --levels 2345 ntpd on

[root@appliance-name /]# /sbin/service ntpd restart

 

The Appliance immediately synchronizes its time with the NTP server and sets the hardware clock automatically. Verify that the NTPD service is running. Run:

ntpq -p

 

Advanced NTP troubleshooting

Check the /var/logs/messages file for NTPD events or to enable advanced NTP tracing. Also, the commands listed here allow you to make file changes to get a detailed analysis of NTP functionality on the Appliance. For more information on advanced NTP troubleshooting, go to: http://www.ntp.org/ntpfaq/NTP-s-trouble.htm#Q-TRB-MON-STATFIL  

 

To check the NTP servers and also where the servers get updated from, run:

ntpdc -p

 

To find out how far off the system time is in seconds, based upon the last time the remote server was contacted, run:

ntpdc -c loopinfo

 

To display the current remaining correction, run:

ntpdc -c kerninfo

 

To check the status of an update server, run:

ntpdate -d

This contacts an NTP server and determines the time difference but does not change the local host's time.

 

To enable extra NTP logging:

Create the following directory on the Appliance: /var/logs/ntp

Edit /etc/ntp.conf, and add these 4 lines:

statistics loopstats

statsdir /var/logs/ntp/

filegen peerstats file peers type day link enable

filegen loopstats file loops type day link enable

Restart the NTP service. Run:

/sbin/service ntpd restart

 

After the service starts, the system begins logging peers, peer , loops, loop logs in /var/logs/ntp, which give you the detailed NTP heartbeat and results. You can find data on loopstats 3day, second, offset, drift compensation, polling interval4day, second, offset, drift compensation, estimated error, stability, and polling interval, as well as peerstats 3day, second, address, status, offset, delay, dispersion4day, second, address, status, offset, delay, dispersion, and skew (variance).



Internal Comments

UserName:shurtj
6/19/2014 12:55:05 PM - Changed Article Type
Changed article type from informational to how-to and modified statements accordingly to abide by Primus best practices.


Product Details

RSA Security Analytics
INTERNAL ONLY !!!!