How does Sentinel 5.x deal with device time?
The time of an event is very critical to its processing. It is important for reporting and auditing purposes as well as for real time processing. The correlation engine processes time-ordered streams of events and detects patterns within events as well as temporal patterns in the stream. However, the device generating the event may not know the real time when the event is generated. In order to accommodate this Sentinel allows two options in processing alerts from security devices: trust the time the device reports and use that as the time of the event, or, do not trust the device time and instead stamp the event at the time it is first processed by Sentinel (by the agent).
Sentinel is a distributed system and comprises several processes that can be in different parts of the network. In addition, there can be some delay introduced by the device. In order to accommodate this the Sentinel processes reorder the events into a time ordered stream before processing.
The following illustration explains the concept of Sentinel Time.
1.By default, Event Time is set to Wizard time. Ideal time would be device time. Therefore it would be best to set Event Time to Device Time if Device Time is available, accurate and properly parsed by the Agent.
2.A configurable time buffer that reorders events and updates real time displays. Default time is 30 seconds before and after server time.
3.Correlation Re-order buffer, if event time is more than 30 seconds older than Server time, correlation engine will not process the events.
4.If event time is older than 5 minutes from Wizard Time (correct time), events will be directly routed to the database.