topic Difference between: Start Time | Generate Time | Receive Time | Elapsed Time in General Topics

Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

TheRealDiz — Tue, 29 Mar 2016 15:15:22 GMT

Hi All,

I have question for you.

We have analyzed our log and seems there is something that is not properly correlated.

Here below a little explanation regarding parameters mentioned:

------------------------------------------

Receive Time
Time the log was received at the management plane

Generate Time
Time the log was generated on the dataplane

Time Logged
N/A; Can someone explain this specific parameter?

Start Time
Time of session start

Elapsed Time (sec)
Elapsed time of the session

------------------------------------------

Assuming this, I need to understand better this output:

I have flagged "Log at session end".

I suppose that : Generate Time = Start Time + Elapsed Time.

So we can clearly see from output provided that Elapsed time + Start Time IS NOT equal to Receive Time for line where value is 240.

While for line with value 61, Elapsed Time + Start Time IS EQUAL to Receive Time.

Any kind of suggestion? Thoughts?

Best Regards

Luca

Re: Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

Brandon_Wertz — Tue, 29 Mar 2016 16:08:45 GMT

Are you looking at the same session ID?

Re: Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

TheRealDiz — Tue, 29 Mar 2016 16:11:57 GMT

Yeap!

Sure

Re: Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

Brandon_Wertz — Tue, 29 Mar 2016 16:22:10 GMT

So I'm looking at an "end" log with a "tcp-fin" session end reason for an application "web-browsing" and have this:

Start Time

2016/03/29 10:26:27

Receive Time

2016/03/29 10:35:29

Elapsed Time(sec)

540

The difference from the Start to receive time is 542 seconds. I'm guessing there's a delta of 2 seconds because of processing time?

Re: Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

reaper — Wed, 30 Mar 2016 09:28:33 GMT

The receive time is when the log is 'received' by the management plane to be written in the log database.

Depending on the management plane load, dataplane load, log rate, log volume and several other factors, the receive time can be one or several seconds after it was created and is not necessarily correlated in any way to the actual session, it's just an indication when the log itself was written to file.

This can become more apparent in an environment where panorama is located far away from a managed firewall where there is a potential break in communication and the firewall is not able to send logs real-time

The receive time may then be minutes or even hours, depending on the gap in communication, from the start and elapsed time

Re: Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

TheRealDiz — Wed, 30 Mar 2016 10:52:08 GMT

Hi @reaper,

Thanks a lot for your explanation.

I agree with you but I need to find a point on this one.

In conclusion if Generate Time is not strictly related to Start + Elapsed Time, in order to be accurate on Session Time:

Elapsed Time = Is duration of session from SYN to FIN

Session Ended = Start Time + Elapsed (I suppose)

Example

Start Time = 10:00:00

Elapsed Time= 60 sec

Generate Time = 10:06:00 (Depends on data-plane and management-plane load and other several factors)

Session Ended = 10:00:00 + 60 sec = 10:01:00

I need to be accurate when Session is ended.

Correct me if I am wrong.

Also last question is:

-----------------------------

Time Logged
N/A; Can someone explain this specific parameter?

-----------------------------

Thanks and Best Regards

Luca

Re: Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

reaper — Wed, 30 Mar 2016 12:14:04 GMT

there's even a difference between receive time and generate time

Receive time is when the management plane receives the log entry andsends it to the database

Generate time is when the log is 'created' on the dataplane which depends on session-start (start time + time needed for dataplane to create the log) or session-end (start time + time elapsed + time needed for dataplane to create the log)

so for your example:

Start Time = 10:00:00

Elapsed Time= 60 sec

Generate Time - session start = 10:00:00 (Depends on data-plane load)

Receive Time - session start = 10:00:00 (Depends on management-plane load and other factors)

Generate Time - session end = 10:01:00 (Depends on data-plane load)

Receive Time - session end = 10:01:00 (Depends on management-plane load and other factors)

Session Ended = 10:00:00 + 60 sec = 10:01:00

a session is marked as 'ended' when either both sides send a FIN, RST or the session is marked as closed for other reasons OR, in case of a timeout, the timeout expires and the session is marked as closed by (idle) timeout

time logged should be when the log is actually written to the database (as log files may be put in a write queue for the database)

Re: Difference between: Start Time | Generate Time | Receive Time | Elapsed Time

TheRealDiz — Wed, 30 Mar 2016 12:40:57 GMT

Hi @reaper,

Perfect!!

In conclusion there is not a field that can indicate exactly when a Session is ended the only way is to calculate it with:

--------------------------------------------------

Session Ended = Start Time + Elapsed Time

---------------------------------------------------

That's important and main information on my side, simply because I need to know exactly when a session is ended.

Also thanks to @Brandon_Wertz for your response!

Luca