Correcting Time On The Sensor - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Configuring Time
•
Be sure to set the time zone and summertime settings on both ASA and AIP-SSM to ensure that the UTC
Caution
time settings are correct. AIP-SSM's local time could be incorrect if the time zone and/or summertime
settings do not match between AIP-SSM and ASA.

Correcting Time on the Sensor

If you set the time incorrectly, your stored events will have the incorrect time because they are stamped
with the time the event was created.
The Event Store time stamp is always based on UTC time. If during the original sensor setup, you set
the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do correct the error, the
corrected time will be set backwards. New events might have times older than old events.
For example, if during the initial setup, you configure the sensor as central time with daylight saving
time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and has an offset
from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m., you discover the error:
the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m. and now the clock shows 09:01:33
CDT. Because the offset from UTC has not changed, it requires that the UTC time now be 14:01:33 UTC,
which creates the time stamp problem.
To ensure the integrity of the time stamp on the event records, you must clear the event archive of the
older events by using the clear events command. For more information on the clear events command,
see
You cannot remove individual events.
Caution
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
4-20
For AIP-SSM:
AIP-SSM can automatically synchronize its clock with the clock in the ASA in which it is
–
installed. This is the default.
The UTC time is synchronized between ASA and AIP-SSM. The time zone and
Note
summertime settings are not synchronized between ASA and AIP-SSM.
Use NTP
–
You can configure AIP-SSM to get its time from an NTP time synchronization source, such as
a Cisco router other than the parent router. See
page 4-28. You will need the NTP server IP address, the NTP key ID, and the NTP key value.
You can configure AIP-SSM to use NTP during initialization or you can set up NTP through the
CLI, IDM, or ASDM.
We recommend that you use an NTP time synchronization source.
Note
Clearing Events from the Event Store, page
Chapter 4
Configuring a Cisco Router to be an NTP Server,
13-7.
Initial Configuration Tasks
78-16527-01