Timestamp 3 hour delay

124 views
Skip to first unread message

pisa_suave

unread,
Apr 6, 2024, 7:11:12 PM4/6/24
to Wazuh | Mailing List
Hello, good morning, I hope you are well.

I have a small problem with my installation, I currently have it distributed as follows.

1) 1 Wazuh Manager.
2) 3 Wazuh Indexer in cluster.
3) 1 Wazuh Dashboard
4) 1 Graylog
5) 1 Grafana
6) 1 Misp

It turns out that I am receiving the alerts with a 3-hour delay to my current time. Before installing the complete infrastructure, I first updated my time to that of my zone and by placing the "timedatectl" command I displayed the time zone and the correct time.

But it seems that Wazuh's manager uses universal time and that makes many things uncontrollable for me.

Does anyone know how I can regularize that? I have my environment already in production and I wouldn't want to have to do it again for something like that.

Thanks in advance.

Md. Nazmur Sakib

unread,
Apr 8, 2024, 12:13:06 AM4/8/24
to Wazuh | Mailing List

Hi pisa_suave,


Good Day!


If you check the /var/ossec/etc/localtime file, you will see Wazuh's manager uses universal time as configured by default. 


To change the Wazuh's manager's time to local time.


First update the timezone of the server. You can use the timedatectl command to update timezone


Find your timezone

timedatectl list-timezones 


Next, set your timezone similar to this.


timedatectl set-timezone 'Asia/Dhaka'


Check updated timezone


timedatectl


Next, reboot the server

reboot


Next, follow the below steps.


First, stop the manager

systemctl stop wazuh-manager


1.  Move the /var/ossec/etc/localtime file to keep a backup of the configuration:

mv /var/ossec/etc/localtime /var/ossec/etc/localtime.bak


2. Copy the /etc/localtime file of the require time to /var/ossec/etc/localtime:

cp /etc/localtime /var/ossec/etc/localtime


3. Check the ownership of the file should be root:wazuh.

chown root:wazuh localtime


Next, restart the manager 


systemctl restart wazuh-manager



Let me know if this solves your issue.

Md. Nazmur Sakib

unread,
Apr 9, 2024, 5:13:01 AM4/9/24
to Wazuh | Mailing List
Hi pisa_suave,

Let me know the update on the issue.

Aramis De la Cruz

unread,
Apr 9, 2024, 10:27:01 AM4/9/24
to Md. Nazmur Sakib, Wazuh | Mailing List
Nazmur,

Very good day, thank you very much for your response, I made the indicated change and changed the time in Wazuh, however in the graylog I still saw it with a different time so I also had to change it in the graylog, but as I told you before , if it worked for me in Wazuh.

Likewise, for those who have an infra the same as mine or similar, you can change the time zone in the graylog in the file "/etc/graylog/server/server.conf" then locate the line "root_timezone = UTC" and change UTC to the time zone that corresponds to your country, then restart the Graylog server.

Grateful Nazmur.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ENjD6xGBu6o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/42b0690e-3503-4939-a574-62429b56732fn%40googlegroups.com.

Md. Nazmur Sakib

unread,
Apr 15, 2024, 11:56:07 PM4/15/24
to Wazuh | Mailing List
Hi  Aramis,

I am glad that your issue is resolved. Thank you for sharing the solution with the community.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages