When systems are offline and can't reach NIST servers they won't be able to sync time. We should keep sensor pointed to NIST by default (or maybe offer config option to set NTP source(s)) and point all the other nodes to the first sensor node. This way they at least all agree on the time.

Without NTP sync, elasticsearch clustering is a roll of the dice if there's not too much drift. It also complicates docket if the docket query doesn't align with the PCAP indexes in stenographer.