Your organization wants its SIEM to raise an alert anytime an account experiences three failed SSH logins within a five-minute window, even if the attempts occur on different Linux servers. Before analysts write the correlation rule, which preparatory action will most reduce the chance of the SIEM missing a distributed brute-force attack because the timestamps in the logs cannot be aligned accurately?
Enable weekly rotation of authentication logs to keep log file sizes manageable.
Synchronize each server's system clock with a trusted NTP source so all logs share a consistent timestamp baseline.
Increase the SSH logging level to VERBOSE on all servers to capture more detail in each failed login entry.
Configure circular logging to overwrite the oldest events once the log file reaches a fixed size limit.
Correlation rules compare timestamps from many hosts to decide whether separate events belong to the same logical incident. If each server's clock drifts even by a few seconds, the SIEM may interpret attempts that actually happened within five minutes as occurring outside that window, producing false negatives. Synchronizing every server's time with a reliable NTP source gives all authentication logs a common, accurate timeline, allowing the SIEM to evaluate the rule correctly. Log rotation schedules, higher SSH verbosity, or circular logging affect retention or detail, but none of them resolves the fundamental need for consistent time-stamps when performing multi-host log analysis.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NTP and why is it important for server synchronization?
Open an interactive chat with Bash
How do correlation rules in SIEMs use timestamps to detect threats?
Open an interactive chat with Bash
What are the risks of not synchronizing server clocks in a distributed environment?