JSA can collect and correlates events from any network infrastructure or security device by using the Universal DSM.
After the events are collected and before the correlation can begin. The individual events from your devices must be properly parsed to determine the event name, IP addresses, protocol, and ports. For common network devices, such as Cisco Firewalls, predefined DSMs are engineered for JSA to properly parse and classify the event messages from the respective devices. After the events from a device are parsed by the DSM, JSA can continue to correlate events into offenses.
If an enterprise network has one or more network or security devices that are not officially supported, where no specific DSM for the device exists, you can use the Universal DSM. The Universal DSM gives you the option to forward events and messages from unsupported devices and use the Universal DSM to categorize the events for JSA. JSA can integrate with virtually any device or any common protocol source by using the Universal DSM.
To configure the Universal DSM, you must use device extensions to associate a Universal DSM to devices. Before you define device extension information by using the log sources window from the Admin tab, you must create an extensions document for the log source.