System Time Synchronization
This report looks at system time synchronization data and provides a list of all assets that are not synchronizing as expected to a centralized time server. Use this report to identify these systems so you can further investigate and fix them.
Time synchronization technology such as Network Time Protocol (NTP) is used to keep system clocks synchronized across a network. This allows for log correlation between systems and establishes a clear sequence of events when necessary. PCI DSS requires that systems in the cardholder data environment be synchronized.
Relevant data sources
Relevant data sources for this report include NTP failure and success data.
How to configure this report
1. Index NTP synchronization data in Splunk Enterprise or other data that can be used to indicate a successful time synchronization attempt. No specific fields of information are needed to determine synchronization.
2. Tag the successful synchronization data with time and synchronize.
3. Configure the
should_timesync column of the assets that should synchronize in the asset table.
The data in the System Time Synchronization report is populated by
Endpoint - Time Sync Tracker - Lookup Gen, a lookup that runs against the
time_sync_tracker CSV file.
This search runs on an offsite 20-minute cycle and looks at 60 minutes of data.
|Schedule||0,20,40 * * * *||Runs on an offset 20-minute schedule.|
|Report window||-65m@m to -5m@m||Looks at 60 minutes of data.|
Note: The report window stops at 5 minutes ago because some data sources might not have provided complete data in a more recent time frame.
|Troubleshooting Task||Search Command||Expected Result|
|Verify that time synchronization data is in Splunk Enterprise.|| tag=time tag=synchronize
|Returns time synchronization data.|
|Verify that the time tracker lookup is populated.|| | inputlookup append=T time_sync_tracker
|Returns data in the time_sync_tracker.|
|Verify successful time sync data.||`time_sync(success)`||Returns successful time sync data.|
|Verify successful time sync data fields.||`time_sync(success)` | table dest||Returns successful time sync data fields.|
Windows NTP produces messages 35 and 37 that indicate a synchronization attempt. Windows does not synchronize in a predictable, determinate way. This can cause false positives if you configured the report with short time frames.
Privileged User Activity
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1