12.1 Understanding Time in Sentinel

Sentinel is a distributed system that is made up of several processes that can be in different parts of the network. In addition, there can be some delay introduced by the device. In order to accommodate this, the Sentinel processes reorder the events into a time-ordered stream before processing.

The following illustration explains how Sentinel does this:

Figure 12-1 Sentinel Time

  1. By default, the event time is set to the Collector Manager time. The ideal time is the device time. Therefore, it is best to set the event time to the device time if the device time is available, accurate, and properly parsed by the Collector.

  2. Events are sorted into 30-second intervals so that they can be viewed in Active Views. By default, the events that have a time stamp within a 5-minute range from the server time (in the past or future) are processed normally. Events that have time stamps more than 5 minutes in the future do not show in the Active Views, but are inserted into the event store. Events that have time stamps more than 5 minutes and less than 24 hours in the past are still shown in the charts, but are not shown in the event data for that chart. A drill-down operation is necessary to retrieve those events from the event store.

  3. If the event time is more than 30 seconds older than the server time, the Correlation Engine does not process the events.

  4. If the event time is older than 5 minutes than the Collector Manager time (correct time), events are directly routed to the event store.