Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

System Time Synchronization

This report looks at system time synchronization data and provides a list of all assets that are not synchronizing as expected to a centralized time server. Use this report to identify these systems so you can further investigate and fix them.

Time synchronization technology such as Network Time Protocol (NTP) is used to keep system clocks synchronized across a network. This allows for log correlation between systems and establishes a clear sequence of events when necessary. PCI DSS requires that systems in the cardholder data environment be synchronized.

Relevant data sources

Relevant data sources for this report include NTP failure and success data.

How to configure this report

1. Index NTP synchronization data in Splunk Enterprise or other data that can be used to indicate a successful time synchronization attempt. No specific fields of information are needed to determine synchronization.

2. Tag the successful synchronization data with time and synchronize.

3. Configure the should_timesync column of the assets that should synchronize in the asset table.

Report description

The data in the System Time Synchronization report is populated by Endpoint - Time Sync Tracker - Lookup Gen, a lookup that runs against the time_sync_tracker CSV file.

Pci-PCI system time synchronization.png

This search runs on an offsite 20-minute cycle and looks at 60 minutes of data.

Schedule 0,20,40 * * * * Runs on an offset 20-minute schedule.
Report window -65m@m to -5m@m Looks at 60 minutes of data.

Note: The report window stops at 5 minutes ago because some data sources might not have provided complete data in a more recent time frame.

Useful searches/Troubleshooting

Troubleshooting Task Search Command Expected Result
Verify that time synchronization data is in Splunk Enterprise. tag=time tag=synchronize
or `time_sync`
Returns time synchronization data.
Verify that the time tracker lookup is populated. | inputlookup append=T time_sync_tracker
or time_sync_tracker
Returns data in the time_sync_tracker.
Verify successful time sync data. `time_sync(success)` Returns successful time sync data.
Verify successful time sync data fields. `time_sync(success)` | table dest Returns successful time sync data fields.

Additional information

Windows NTP produces messages 35 and 37 that indicate a synchronization attempt. Windows does not synchronize in a predictable, determinate way. This can cause false positives if you configured the report with short time frames.

Last modified on 26 October, 2015
Endpoint Changes
Privileged User Activity

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters