Troubleshooting for DSMs
Description: If you come across a problem with your DSM, you can troubleshoot the following issues.
Device Support Modules (DSMs) parse the events in JSA. You can think of DSMs as software plug-ins that are responsible for understanding and parsing events that are provided by an event source. An event source can be a security appliance, server, operating system, firewall, or database. DSMs can be any type of system that generates an event when an action occurs. The DSM Configuration Guide contains a list of product manufacturers and the DSMs that are officially tested and validated against specific products.
Not having an official DSM doesn't mean that the events aren't collected. It indicates that the event that is received by JSA might be identified as "Unknown" on the Log Activity tab of JSA. "Unknown" means that JSA collected the event, but was unable to parse the event format to categorize the event. However, some unique events in unofficial DSMs cannot be parsed or identified if they don't follow an event format that is expected. When an event cannot be understood by the system, they are categorized as "Unknown".
What is the difference between an unknown event and a stored event?
Events comprise three different categories:
Parsed events - JSA collects, parses, and categorizes the event to the proper log source.
Unknown events - The event is collected and parsed, but cannot be mapped or categorized to a specific log source. The Event Name and the Low-Level Category are set as Unknown. Log sources that aren't automatically discovered are typically identified as Unknown Event Log until a log source is manually created in the system. When an event cannot be associated to a log source, the event is assigned to a generic log source. You can identify these events by searching for events that are associated with the SIM Generic log source or by using the Event is Unparsed filter.
Stored events - The event cannot be understood or parsed by JSA. When JSA cannot parse an event, it writes the event to disk and categorize the event as Stored.
How can you find these events in the Log Activity tab?
To find events specific to your device, you can search in JSA for the source IP address of your device. You can also select a unique value from the event payload and search for Payload Contains. One of these searches might locate your event, and it is likely either categorized as Unknown or Stored.
The easiest way to locate unknown or stored events is to add a search filter for Event in Unparsed. This search filter locates all events that either cannot be parsed (stored) or events that might not be associated with a log source or auto discovered (Unknown Log Event).
For more information about officially supported DSMs, see the Juniper Secure Analytics DSM Guide.
What do you do if the product version or device you have is not listed in the DSM Configuration Guide?
Version not listed - The index in the Guide lists the supported versions. If the DSM is for a product that is officially supported by JSA, but the version is out-of-date, you might need a DSM update to resolve any parsing issues. The product versions in the DSM guide were officially tested in-house, but software updates by vendors might add or change the event format for a specific DSM. In these cases, open a support ticket for a review of the log source.
Device not listed - When a device is not officially supported, you have two options:
When a device is not officially supported, you have two options:
Open a request for enhancement (RFE) to have your device become officially supported.
Go to the JSA.
Log in to the support portal page.
Click the Submit tab and type the necessary information.
If you have event logs from a device, it helps if you attach the event information and include the product version of the device that generated the event log.
Write a log source extension to parse events for your device.