[ESXi] Disable time sync with host #573
Description
- Operating System Version: ESXi7, WIN SERVER2016, WIN10, LINUX 18.04
- Deploying via (VirtualBox/VMWare/AWS/Azure/ESXi): ESXi
- Vagrant Version (if applicable):
Description of the issue:
While the entire detection lab went successful and began some simple hunting using Splunk, then I found the system time for all 4 instances are incorrect. Eventually, I cannot search in splunk relative time option, such as last 15 mins. Because every system have different understanding of last 15 mins, as a result the Splunk index time is my local time and the logging host time is another time. Then I do the troubleshooting:
- looking into logger server
- Run the command: timedatectl, then I found local time actually is in my time zone but the Universal time is UTC. and some how the splunk search rely on my system local time?
- looking into DC
- Run the command: w32tm /query /source, then it return Local CMOS Clock and the time is not UTC nor my local time
Not sure this issue is happened to everyone but the issue may relate to where I live in GMT+8 time zone. Here is the way I fixed it (not perfect)
-
To logger server
I just set the local time align to UTC -
To all WIN hosts
- Run the command
tzutil /s "Taipei Standard Time"
w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org" /syncfromflags:manual
w32tm /resync
As a result (not a perfect result),
- my search time can do last 15 mins search but not reflecting my local time
- checking win events on WEF, somehow the event log time is under UTC not the local time that I've set.