Time in Log Insight: Roles + Issues

This week I would like to take a look at time in Log Insight. Time plays several critical roles in Log Insight and if time is not set properly several issues can arise. Today, I would like to discuss these roles and issues.

Roles

Time is used by Log Insight in several ways including:

  • To timestamp messages as they arriveli-20-time
  • To perform Kerberos queries against Active Directoryli-20-auth
  • For Log Insight cluster management (Log Insight 2.0)

Issues

If time is not synced properly the following issues can arise:

  • Queries do not return results for expected time ranges
  • Active Directory authentication fails
  • The Log Insight cluster stops working properly

Best Practices

In general, you want to ensure that each Log Insight instance is within five minutes of other clocks in the environment. To do this, Log Insight recommends that you configure NTP on the Log Insight virtual appliance. If you do not have access to NTP servers, you can also use the ESX/ESXi host that the virtual appliance is running on for time though NTP is preferred.

© 2014 – 2021, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top