Netflow - Minion/Sentinel generate a "message" on inbound flow timestamp skewed from local UTC clock more than X
Description
As the Minion/Sentinel will always see the live inbound netflow streams, have them generate a "message" when the timestamp in the header is skewed by more than X, where X is a configurable second value (recommend 15 minute or 900 second default value)
Because logging by UTC timestamp in source determines which ES index will be used, it is important to minimize skew as well as help system operators look into devices that may be out of sync. This will require Minion/Sentinel hosts to be time sync'd to a valid network clock to be able to detect skew.
As the Minion/Sentinel will always see the live inbound netflow streams, have them generate a "message" when the timestamp in the header is skewed by more than X, where X is a configurable second value (recommend 15 minute or 900 second default value)
Because logging by UTC timestamp in source determines which ES index will be used, it is important to minimize skew as well as help system operators look into devices that may be out of sync. This will require Minion/Sentinel hosts to be time sync'd to a valid network clock to be able to detect skew.