Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Troubleshooting DSMs

 

Problem

Description: Device Support Modules (DSMs) parse the events in JSA. You can think of DSMs as software plug-ins that are responsible for understanding and parsing events that are provided by an event source. An event source can be a security appliance, server, operating system, firewall, or database. DSMs can be any type of system that generates an event when an action occurs.

Solution

What is the difference between an unknown event and a stored event?

When events aren’t parsed correctly, they appear on the Log Activity tab as one of the following event types:

  • Unknown events - The event is collected and parsed, but cannot be mapped or categorized to a specific log source. Log sources that aren't automatically discovered are typically identified as an unknown event log until a log source is manually created in the system. When an event cannot be associated to a log source, the event is assigned to a generic log source. You can identify these events by searching for events that are associated with the SIM Generic log source or by using the Event is Unparsed filter.

  • Stored events - The event cannot be understood or parsed by JSA. When JSA cannot parse an event, it writes the event to disk and categorize the event as Stored.

How can you find these unknown or stored events in the Log Activity tab?

To find events specific to your device, you search in JSA for the source IP address of your device. You can also select a unique value from the event payload and search for Payload Contains. One of these searches might locate your event, and it is likely either categorized as unknown or stored.

You can also add a search filter for Event in Unparsed. This search locates all events that either cannot be parsed (stored) or events that might not be associated with a log source or auto discovered (unknown).

What do you do if the product version you have is not listed in the Juniper Secure Analytics Configuring DSMs Guide?

The Juniper Secure Analytics Configuring DSMs Guide contains a list of product manufacturers and the DSMs that are officially tested and validated against specific products. If the DSM is for a product that is officially supported by JSA, but the version is out-of-date, you might need a DSM update to resolve any parsing issues. The product versions in the DSM guide were officially tested in-house, but software updates by vendors might add or change the event format for a specific DSM. In these cases, open a support ticket in https://support.juniper.net/support/.

What do you do if the product device you have is not listed in the Juniper Secure Analytics Configuring DSMs Guide?

If your product device is not listed in the Juniper Secure Analytics Configuring DSMs Guide, it is not officially supported. For example, DSMs that appear on the IBM Security App Exchange are supplied by vendors and aren't officially supported by Juniper. Not having an official DSM doesn't mean that the events are not collected. It indicates that the event that is received by JSA might be identified as unknown on the Log Activity tab. You have these options:

  • Open a request for enhancement (RFE) to have your device become officially supported.

    1. Go to the JSA.

    2. Log in to the support portal page.

    3. Click the Submit tab and type the necessary information.

    Note

    If you have event logs from a device, it helps if you attach the event information and include the product version of the device that generated the event log.

  • Write a log source extension to parse events for your device.