IBM Support

QRadar: Event details and the difference between Start Time, Storage Time, and Log Source Time

Question & Answer


Question

What is the difference between Start Time, Storage Time, and Log Source Time on the Event Information page in QRadar?

Cause

QRadar displays three time stamp fields on events when users view the details of an event. These three timestamps can have different values depending on where the data originated, when data arrives and when it is written to disk in QRadar.

Timestamp values as seen in the user interface:

Figure 1: A sample log off event sent by WinCollect to QRadar

As shown in the example image above, there is a six second delay when the remote Syslog event " An account was logged off" and when QRadar received it as represented by the Start Time and Log Source Time.

Answer

Note: This Video is provided to add extra content for Administrators. It is not a replacement for required reading. Please download any required reading materials before trying procedures on your deployment.

YouTube Video
IBM QRadar: Differences Between Event Time Stamps (02:32)
The differences between Event time stamps in IBM QRadar.



Start Time
The Start Time in an event record and represents the time at which the event arrived at the QRadar appliance. When an event arrives in the event Pipeline an Object is created in memory, then the start time is set to that time.

Note: In QRadar version 7.3.1 and above the Start Time begins after the EC-ECS Ingress component of the Event Pipeline.


Storage Time
The Storage Time is when data is written out to disk by the Ariel component at the end of the Event Pipeline. This can be useful for determining if the Event Pipeline is backed up, for performance or licensing reasons. When investigating events delayed in the pipeline, or messages about licensing or dropped events because of licensing, you can look at the start timestamps and storage timestamps to see how far apart they are. This will give an indication of how delayed the pipeline may be.


Log Source Time
The Log Source Time is pulled from the event payload itself after the system has parsed the event. The Log Source Time that is available in the syslog header is the value that is used. However, for some Log Sources, such as Windows logs that have a MessageTime field in the body of the payload, or in the Message= area of the payload, we might convert an epoch timestamp into a time, and then store that into the Log Source Time, overriding even what's in the syslog header field.

Note:
  • If there is no time available in the payload at all, then the log source time field is populated with the same value as the start time.
  • If an event includes a time zone, then we adjust the Log Source Time to account for the time zone change.

Example:
If an event includes a time zone that is GMT+8 to the Console, the Log Source Time should be listed as GMT-8 from the time stamp in the event payload. This is so users can understand when the event occurred based on the Console time.



Where do you find more information?


 

Related information

Developer Works: Log source time vs payload time of eve

Document information

More support for: IBM QRadar SIEM

Component: User Interface

Software version: 7.1, 7.2, 7.3

Operating system(s): Linux

Software edition: All Editions

Reference #: 1695264

Modified date: 16 August 2019