The present application relates to the field of computer system monitoring, and more particularly to the use of timestamp information appearing in logs of computer system activity.
Computer systems and devices make extensive use of logs to collect information regarding computer system operation. Log information can be used for a variety of purposes including accounting, troubleshooting, and various types of monitoring including security-related monitoring. For example, security information and event management (SIEM) systems are known that receive logs generated by devices such as servers, network devices, etc., and use the information in the logs to assess system operation from a security perspective.
Logs include timestamps in order to identify the times at which logs are generated. A log timestamp can often serve as an approximation of the time that the underlying event being reported actually occurred, especially when the logging device is directly involved in the underlying event. As an example, a log from a DHCP server will accurately reflect the actual time that an IP address was assigned to a host, because the DHCP server itself performed the assignment action and messaging—there is essentially no delay between the action and the logging of the action.
There are known network protocols relating to identifying time in a network of computers. For example, the Network Time Protocol or NTP, http://www(dot)ntp(dot)org, allows machines to synchronize their local clocks with designated NTP servers. NTP makes no provision for conveying information about time zones or daylight savings time, and machines are required to actively contact NTP servers for synchronization.