System Time Synchronization
This report looks at system time synchronization data and provides a list of all assets that are not synchronizing as expected to a centralized time server. Use this report to identify these systems so you can further investigate and fix them.
Time synchronization technology such as Network Time Protocol (NTP) is used to keep system clocks synchronized across a network. This allows for log correlation between systems and establishes a clear sequence of events when necessary. PCI DSS requires that systems in the cardholder data environment be synchronized.
Relevant data sources
Relevant data sources for this report include NTP failure and success data.
How to configure this report
- Index NTP synchronization data or other data that can be used to indicate a successful time synchronization attempt in Splunk platform. No specific fields of information are needed to determine synchronization.
- Tag the successful synchronization data with "time", "synchronize", "os", and "performance".
- Configure the
should_timesync
column of the assets that should synchronize in the asset table.
Report description
The data in the System Time Synchronization report is populated by the Performance data model and the asset table.
Useful searches for troubleshooting
Troubleshooting Task | Search Command | Expected Result |
---|---|---|
Verify that time synchronization data is in Splunk platform. | tag=time tag=synchronize tag=os tag=performance or `time_sync` |
Returns time synchronization data. |
Verify successful time sync data. | `time_sync(success)` | Returns successful time sync data. |
Verify successful time sync data fields. | `time_sync(success)` | table dest | Returns successful time sync data fields. |
Additional information
Windows NTP produces messages 35 and 37 that indicate a synchronization attempt. Windows does not synchronize in a predictable, determinate way. This can cause false positives if you configured the report with short time frames.
Endpoint Changes | Privileged User Activity |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!