how to change & sync the timezone on QRadar SIEM environment

Posted by

Normally the time synchronization between devices on enterprises environments are critical for different security factors.

Some of them,

– Attacks
– Tasks misconfiguration
– Event time correlation for SIEM devices.
– Etc.

At this time the scenario will be focused on QRadar SIEM environment version 7.3.1, it applies for higher versions.

QRadar-Logo
QRadar SIEM

1. Check timezone correct sintax

[root@boydC~]# timedatectl list-timezones

2. After that you just need to stop the principal QRadar services,

[root@boydC~]# service hostcontext stop
[root@boydC~]# service tomcat stop
[root@boydC~]# service hostservices stop

3. Check timezone

[root@boydC~]# date
Sat May 18 17:43:14 CST 2019

Or

[root@boydC~]# timedatectl
Local time: Sat 2019-05-18 17:48:23 CST
Universal time: Sat 2019-05-18 23:48:23 UTC
RTC time: Sat 2019-05-18 23:48:23
Time zone: America/Central_America (CST, -0600)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
[root@boydC~]#

4. Set timezone (for the example I used “UTC”) & synchronize

[root@boydC~]# timedatectl set-timezone UTC
[root@boydC~]# /sbin/hwclock –systohc

5. Start QRadar services

[root@boydC~]# service hostservices start
[root@boydC~]# service tomcat start
[root@boydC~]# service hostcontext start

6. Verify the changes using options from point 3.

[root@boydC~]# date
[root@boydC~]# timedatectl

7. Sync the new changes over all QRadar environment, [Event Processor / Secondary Console / etc] using the following default scripts from QRadar installation

[root@boydC~]# /opt/qradar/support/all_servers.sh /opt/qradar/bin/time_sync.sh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s