Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-29-2016 08:15 AM
Hi All,
I have question for you.
We have analyzed our log and seems there is something that is not properly correlated.
Here below a little explanation regarding parameters mentioned:
------------------------------------------
Receive Time
Time the log was received at the management plane
Generate Time
Time the log was generated on the dataplane
Time Logged
N/A; Can someone explain this specific parameter?
Start Time
Time of session start
Elapsed Time (sec)
Elapsed time of the session
------------------------------------------
Assuming this, I need to understand better this output:
I have flagged "Log at session end".
I suppose that : Generate Time = Start Time + Elapsed Time.
So we can clearly see from output provided that Elapsed time + Start Time IS NOT equal to Receive Time for line where value is 240.
While for line with value 61, Elapsed Time + Start Time IS EQUAL to Receive Time.
Any kind of suggestion? Thoughts?
Best Regards
Luca
03-29-2016 09:08 AM
Are you looking at the same session ID?
03-29-2016 09:22 AM
So I'm looking at an "end" log with a "tcp-fin" session end reason for an application "web-browsing" and have this:
|
Start Time
|
2016/03/29 10:26:27
|
|
Receive Time
|
2016/03/29 10:35:29
|
|
Elapsed Time(sec)
|
540
|
The difference from the Start to receive time is 542 seconds. I'm guessing there's a delta of 2 seconds because of processing time?
03-30-2016 02:18 AM - edited 03-30-2016 02:28 AM
The receive time is when the log is 'received' by the management plane to be written in the log database.
Depending on the management plane load, dataplane load, log rate, log volume and several other factors, the receive time can be one or several seconds after it was created and is not necessarily correlated in any way to the actual session, it's just an indication when the log itself was written to file.
This can become more apparent in an environment where panorama is located far away from a managed firewall where there is a potential break in communication and the firewall is not able to send logs real-time
The receive time may then be minutes or even hours, depending on the gap in communication, from the start and elapsed time
03-30-2016 03:52 AM
Hi @reaper,
Thanks a lot for your explanation.
I agree with you but I need to find a point on this one.
In conclusion if Generate Time is not strictly related to Start + Elapsed Time, in order to be accurate on Session Time:
Elapsed Time = Is duration of session from SYN to FIN
Session Ended = Start Time + Elapsed (I suppose)
Example
Start Time = 10:00:00
Elapsed Time= 60 sec
Generate Time = 10:06:00 (Depends on data-plane and management-plane load and other several factors)
Session Ended = 10:00:00 + 60 sec = 10:01:00
I need to be accurate when Session is ended.
Correct me if I am wrong.
Also last question is:
-----------------------------
Time Logged
N/A; Can someone explain this specific parameter?
-----------------------------
Thanks and Best Regards
Luca
03-30-2016 05:13 AM - edited 03-30-2016 05:14 AM
Hi
there's even a difference between receive time and generate time
Receive time is when the management plane receives the log entry andsends it to the database
Generate time is when the log is 'created' on the dataplane which depends on session-start (start time + time needed for dataplane to create the log) or session-end (start time + time elapsed + time needed for dataplane to create the log)
so for your example:
Start Time = 10:00:00
Elapsed Time= 60 sec
Generate Time - session start = 10:00:00 (Depends on data-plane load)
Receive Time - session start = 10:00:00 (Depends on management-plane load and other factors)
Generate Time - session end = 10:01:00 (Depends on data-plane load)
Receive Time - session end = 10:01:00 (Depends on management-plane load and other factors)
Session Ended = 10:00:00 + 60 sec = 10:01:00
a session is marked as 'ended' when either both sides send a FIN, RST or the session is marked as closed for other reasons OR, in case of a timeout, the timeout expires and the session is marked as closed by (idle) timeout
time logged should be when the log is actually written to the database (as log files may be put in a write queue for the database)
03-30-2016 05:40 AM
Hi @reaper,
Perfect!!
In conclusion there is not a field that can indicate exactly when a Session is ended the only way is to calculate it with:
--------------------------------------------------
Session Ended = Start Time + Elapsed Time
---------------------------------------------------
That's important and main information on my side, simply because I need to know exactly when a session is ended.
Also thanks to @Brandon_Wertz for your response!
KR
Luca
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
