Symantec Access Management

Siteminder access logs print the log entry timestamp with[ localtime -GMT offset ]

example

AzAccept  [03/Aug/2015:14:45:45 -0500]

i am running into a problem when these logs are being read through splunk. As access logs don't account for DST offset splunk reports the current log activity in future. I suspect this is problem only where DST is in place , Has anyone observed this and have a solution to read the correct time ?

CA's response has been that it is not a bug and to be filed as an enhancement request to which i don't agree as it seems like a bug.

Thanks

Hi Vivek,

Can you elaborate more on what is the problem that you are facing with the access log in [ localtime -GMT offset]? Do you have a use case to explain the situation that you are facing?

Do you mean the access log need to cater for the Daylight Saving Time (DST) when capture the transaction in smaccess log?

Thanks.

Hi Karmeng,

Yes access logs should cater to Daylight savings , reason for that is as the current timestamp in smaccess logs doesn't have the correct offset , for example i am in EST time zone and the access log is printed with (localtime -0500) which does not translate to the correct GMT time.

I am facing a problem when these logs have to parsed through splunk, since the offset is 5 hours , time that is converted from access logs is in future by 1 hour , so we cannot generate the reports properly.

Looking at my LDAP logs those do cater to DST offset if i look at the logs the GMT offset is 4 hours which it should be because of DST.

Thanks

Hi Vivek,

Thanks for your update. The policy server access log time is follow the OS time and timezone setting. If the OS has set to adjust the daylight saving time automatically, I presume the localtime should be in correct status (cater DST as per OS setting).

I'm not sure how splunk parsed the access log time but from Siteminder perspective, it has limited control as it follow the setting on OS side. As such, I don't think this as a "bug". I agree enhancement request can help to imrpove the situation.

I was thinking another way that whether splunk has any function to parse the time with DST?

Thanks.

HI Karmeng,

Not entirely true,  as i have LDAP on the same machine i can see it clearly reports GMT offset of 4 hours correctly during day light savings .OS sets the time correctly otherwise other products would show the same problem. For that reason i think it is a bug.

In smaccess logs for EST timezone it seems to be hardcoded to have an offset of 5 hours and does not take into consideration DST. 

As a workaround i can play around with splunk but then i would have to do the same thing twice a year once with DST on and other time with DST off. 

Thanks

HI Karmeng,

Turns out it is bug and is fixed in 12.52SP1CR2

Thanks