Binary logs can't be viewed in elog due to the wrong time zone in USG5500

Publication Date:  2014-06-19 Views:  484 Downloads:  0
Issue Description
A customer added Secospace USG 5520S firewall in VSM, and USG 5520S was synchronized. But the customer was unable to get reports of USG5520S on VSM.
This is the topology:

The related configuration in USG5520S:
info-center source default channel 2 log state off
info-center loghost source GigabitEthernet0/0/2
info-center loghost 10.110.1.178 9002
#
firewall session log-type binary host 1 10.110.1.178 9002
firewall session log-type binary source 10.80.15.251 1616
#
firewall interzone trust untrust
session log enable acl-number 3046 inbound
session log enable acl-number 3046 outbound
Alarm Information
None
Handling Process
(1) From the customer’s reply, the route between USG5520S and elog is OK, and the USG5520S was added to elog successfully.


Check the log collection mode, the connection mode session has been selected, and the port is 9002, which is same as that in firewall.
(2) From the menu ”Analysis->Session Analysis->Session statistics ”, we can find the elog has received the session logs from firewall.


(3) Check the time and time zone, it seems that they are almost same between USG5520S and elog Server.
Time and time zone in USG5520S:
<USG5500>dis clock
13:54:11 2014/06/17
2014-06-17 13:54:11
Tuesday
Time zone: pakestan add 05:00:00
<USG5500>
Time and time zone in elog server:

(4) Capture data packet in elog to check the detail data that elog received.
From the captured data packet, we can see that the elog has received the session logs from firewall.

But the time in session log is different from the time in elog.
Hex: 53a090ab53a090c1
Dec:6025975366938562753
Convert to the UTC time is: 2014-06-18 03:02:25, but the current time is 2014-06-17 17:01:24. Here the time is shown in UTC+8 Beijing time. If it changed toUTC+5, then the time in session log is 2014-06-18 00:02:25, and the current time in elog server is 2014-06-17 14:01:24, which is different from each other. From here we can conclude that time in session log sent from USG5520S is not correct.
Check the product documentation again, we find that the time zone set on firewall is not correct. In USG5520, the time zone information is as follows:
<USG5500>dis clock
13:54:11 2014/06/17
2014-06-17 13:54:11
Tuesday
Time zone: pakestan add 05:00:00
<USG5500>
The description for timezone command in product documentation is as follows:

Now we know that for UTC+5, we should change the time zone to
<USG5500>clock timezone pakistan minus 05:00:00
And then change the clock to the local time. After the change, the elog can received the session logs from firewall, and the session log can be shown in elog.
Root Cause
1) The USG5500 is not associated to elog collecter, or the collection mode didn’t include session mode.
2) The USG5500 didn’t send binary logs to elog collecter..
3) The time or time zone is not corresponding between USG5500 and elog collecter.
Suggestions
When configure firewall and elog, the time zone must be same. Until the software version of firewall V300R001C01SPC200 the meaning of “add” and “minus” in the command “clock timezone” in firewall is different from other Huawei network product like router or Switch. Please take product documentation as reference when you configure firewall.

END