There are multiple Date fields in an event for a SEP or SEP State Collector. What do these dates mean?
You see these dates and time in the Event Details:
- Logged at: Dec 6, 2011 12:55:08 PM EST - Event Date: Dec 6, 2011 12:55:08 PM EST - Ending Event Date: Dec 6, 2011 12:55:08 PM EST - Original Event Date: Dec 6, 2011 12:55:05 PM EST - Original Ending Event Date: Dec 6, 2011 12:14:59 PM EST
The SEP collector puts ALERTDATETIME from a SEP event into the Ending Event Date field. So when an event is sent from the SEP collector to SSIM it has Ending Event Date populated. But SSIM has its own logic that processes the Event Date and and Ending Event Date. The SSIM logic is the following:
If Ending Event Date is less then Event Date then Ending Event Date is moved to Original Ending Event Date.
Original Ending Event Date cannot be populated with Original Event Date.
This is what you will see in a SEP Event
Event Date from SEP copied into Original Event Date in SSIM Event
Ending Event Date from SEP copied into Original Ending Event Date in SSIM Event
Event Date and Ending Event Date are populated with current time ("logged at"time) time the event was logged by SSIM .
Imported Document ID: TECH177892
Subscribing will provide email updates when this Article is updated. Login is required.