This week I would like to take a look at time in Log Insight. Time plays several critical roles in Log Insight and if time is not set properly several issues can arise. Today, I would like to discuss these roles and issues.
Time is used by Log Insight in several ways including:
- To timestamp messages as they arrive
- To perform Kerberos queries against Active Directory
- For Log Insight cluster management (Log Insight 2.0)
If time is not synced properly the following issues can arise:
- Queries do not return results for expected time ranges
- Active Directory authentication fails
- The Log Insight cluster stops working properly
In general, you want to ensure that each Log Insight instance is within five minutes of other clocks in the environment. To do this, Log Insight recommends that you configure NTP on the Log Insight virtual appliance. If you do not have access to NTP servers, you can also use the ESX/ESXi host that the virtual appliance is running on for time though NTP is preferred.
© 2014 – 2021, Steve Flanders. All rights reserved.