Exam 712-50 topic 1 question 399 discussion

In context of the question the answer is C.

NIST Special Publication 800-92: Guide to Computer Security Log Management "When the clocks on systems are not synchronized, event correlation can become very difficult, and events from one system may appear to have occurred before they actually did, relative to the time on another system. It is strongly recommended that organizations use a common time synchronization protocol, such as Network Time Protocol (NTP), to ensure that the clocks on all systems are synchronized."

he correct answer is C. Each node set to local time. Setting each node to local time would negatively impact a log analysis of a multinational organization. In order to perform effective log analysis, it is important to have consistent and standardized timestamps across all log entries. If each node within the organization is set to local time, it would introduce inconsistencies in the timestamps recorded in the log files, making it difficult to correlate events accurately and perform accurate analysis across different systems and regions.

Answer is C.

A. Would be beneficial B. Would be a necessary good practice C. Is not good, makes correlation difficult. This would be the forensic answer. D This can be argued to be the worst as information is lost in the aggregation. You would have to resort to the unaggregated logs to investigate an incident.

I also have the same concern about local time, But still the log analysis will not be delayed but this cause mapping the chronology of event. But if the local aggregation is done, then we need to analyse each log which will cause delay

I reconsider the question. Is D the correct answer

Should be "C"... Why is local aggregation the correct answer ?