The Correlation Engine processes time-ordered streams of events and detects patterns within events as well as temporal patterns in the stream. However, sometimes the device generating the event might not include the time in its log messages. To configure time to work correctly with Sentinel, you have two options:
Configure NTP on the Collector Manager and deselect on the event source in the Event Source Manager. Sentinel uses the Collector Manager as the time source for the events.
Select on the event source in Event Source Manager. Sentinel uses the time from the log message as the correct time.
To change this setting on the event source:
Log in to Event Source Management.
For more information, see Accessing Event Source Management
in the NetIQ Sentinel 7.0.1 Administration Guide.
Right-click the event source you want to change the time setting for, then select .
Select or deselect the option on the bottom of the tab.
Click to save the change.