Documentation Center
AlienVault® USM Appliance™

About the Timestamps in USM Appliance

Version: 5.x
Deployment: All deployments

This topic describes timestamps in AlienVault USM Appliance, and explains the difference between what is displayed in the web UI and those found in Raw Logs.

On most of the USM Appliance web interfaces the timestamp is visible in a generic format: YYYY-MM-DD hh:mm:ss, for example, 2015-10-12 12:30:55. You will find them in events, alarms, vulnerability scan results, and reports. The USM Appliance generates such a timestamp from the original timestamp through the normalized_date function during event processing.

In Raw Logs, however, the timestamp is stored in UNIX or epoch time, which is the number of seconds that have lapsed since 00:00:00 UTC, on the 1st of January 1970. For example, 1444138680 UNIX time is 2015-10-06 13:38:00 UTC.

There are a number of methods to convert UNIX time to human readable time.

Method 1 - Online Tool

This can be done online using a conversion tool by pasting the UNIX time and selecting the correct timezone.

Method 2 - CLI Tool

Using a CLI tool can sometimes be more useful as it can be scripted. Below are two examples using the Linux commands "date" and "awk".

# date -d @123456789

Fri Feb 13 23:31:30 GMT 2009

# echo 1234567890 |awk '{print strftime("%c",$1)}'

Fri Feb 13 23:31:30 2009

Note: When converting UNIX time to human readable format, it is essential to ensure that the timezone is set correctly, otherwise default timezone of the machine or the online tool will be used, resulting in the wrong time.

Example:

In the examples given above in Method 2 the timezone of the machine performing the conversion was set to UTC/GMT +0.

If the timezone is changed to EST then the resulting conversion would be different as an offset of "-5" hours will be applied to the conversion:

# date -d @1234567890

Fri Feb 13 18:31:30 EST 2009