Splunk® App for PCI Compliance

Installation and Configuration Manual

System Time Synchronization

This report looks at system time synchronization data and provides a list of all assets that are not synchronizing as expected to a centralized time server. Use this report to identify these systems so you can further investigate and fix them.

Time synchronization technology such as Network Time Protocol (NTP) is used to keep system clocks synchronized across a network. This allows for log correlation between systems and establishes a clear sequence of events when necessary. PCI DSS requires that systems in the cardholder data environment be synchronized.

Relevant data sources

Relevant data sources for this report include NTP failure and success data.

How to configure this report

  1. Index NTP synchronization data or other data that can be used to indicate a successful time synchronization attempt in Splunk platform. No specific fields of information are needed to determine synchronization.
  2. Tag the successful synchronization data with "time", "synchronize", "os", and "performance".
  3. Configure the should_timesync column of the assets that should synchronize in the asset table.

Report description

The data in the System Time Synchronization report is populated by the Performance data model and the asset table.

Useful searches for troubleshooting

Troubleshooting Task Search Command Expected Result
Verify that time synchronization data is in Splunk platform. tag=time tag=synchronize tag=os tag=performance
or `time_sync`
Returns time synchronization data.
Verify successful time sync data. `time_sync(success)` Returns successful time sync data.
Verify successful time sync data fields. `time_sync(success)` | table dest Returns successful time sync data fields.

Additional information

Windows NTP produces messages 35 and 37 that indicate a synchronization attempt. Windows does not synchronize in a predictable, determinate way. This can cause false positives if you configured the report with short time frames.

Last modified on 14 February, 2022
Endpoint Changes   Privileged User Activity

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters