Symantec Endpoint Protection Manager Notification Emails Display all Event Times in GMT
Last Updated April 09, 2013
The Symantec Endpoint Protection Manager (SEPM) can be configured to generate custom notifications based on a variety of criteria (such as the "Single Risk Event" notification). If an email alert is configured for such a notification, the email contents show that the event is being logged in GMT (Greenwich Mean Time).
Symptoms A variety of Notifications can be configured within the SEPM Monitors tab. These notifications can optionally be configured to be sent by email to one or more email addresses in addition to triggering other events and being written into the database. If the notification is configured to trigger an email alert, the event data contained within the text of the alert will be logged in GMT rather than the local time of the SEPM.
The SEPM logs all events using UTC (Coordinated Universal Time), also known as GMT (Greenwich Mean Time). This enables all of the events to be normalized, allowing for SEP clients from multiple time-zones to forward their events to the same SEPM and for all of these events to be correctly tracked and coordinated. When Notifications are configured for specific event criteria, these notifications are generated and stored within the database, based on the UTC/GMT data (the client data is converted to UTC before being written into the database). Consequently, if the administrator configures an email alert based on the notification, the text of the email alert will show the event time in UTC (GMT). However, if the administrator logs into the SEPM and view the same event via the Reports interface, the SEPM will automatically convert the timestamp of the event to match the local time configuration of the SEPM. Thus a SEPM configured to be in Pacific Standard Time (GMT -8) will log all events using UTC/GMT, but will display them as PST (GMT -8).
This is expected behavior; no action or intervention is necessary
Technical Information An example of a notification email:
Subject: Single Risk Event
Message from: Server name: servername Server IP: 10.0.0.1
At least one security risk found:
Risk name: Hydra.1 File path: C:\Documents and Settings\username\Desktop\HYDRA.COM Event time: 2010-01-29 13:43:50 GMT
Database insert time: 2010-01-29 13:45:17 GMT
User: username Computer: computername IP Address: 10.0.0.2 Domain: Default Server: servername Client Group: My Company\Default Group Action taken on risk: Cleaned
Imported Document ID: TECH122848
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe