Description: If you come across a problem with your DSM, you can troubleshoot the following issues.
What happens when events that are parsed and collected with unofficial DSMs?
Not having an official DSM doesn't mean that the events aren't collected. It indicates that the event that is received by JSA might be identified as "Unknown" on the Log Activity tab of JSA. "Unknown" means that JSA collected the event, but was unable to parse the event format to categorize the event. However, some unique events in unofficial DSMs cannot be parsed or identified if they don't follow an event format that is expected. When an event cannot be understood by the system, they are categorized as "Unknown".
What is the difference between an unknown event and a stored event?
Events comprise three different categories:
Parsed events - JSA collects, parses, and categorizes the event to the proper log source.
Unknown events - The event is collected and parsed, but cannot be mapped or categorized to a specific log source. The Event Name and the Low-Level Category are set as Unknown. Log sources that aren't automatically discovered are typically identified as Unknown Event Log until a log source is manually created in the system. When an event cannot be associated to a log source, the event is assigned to a generic log source. You can identify these events by searching for events that are associated with the
SIM Genericlog source or by using the
Event is Unparsedfilter.
Stored events - The event cannot be understood or parsed by JSA. When JSA cannot parse an event, it writes the event to disk and categorize the event as Stored.
How can you find these events in the Log Activity tab?
To find events specific to your device, you can search in JSA
for the source IP address of your device. You can also select a unique
value from the event payload and search for
Payload Contains. One of these searches might locate your event, and it is likely
either categorized as Unknown or Stored.
The easiest way to locate unknown or stored events is to add
a search filter for
Event in Unparsed.
This search filter locates all events that either cannot be parsed
(stored) or events that might not be associated with a log source
or auto discovered (Unknown Log Event).
For more information about officially supported DSMs, see the JSA Supported DSMs.
What do you do if you have an unknown event log from a log source that is not auto discovered?
The Event Collection Service (ECS) contains a traffic analysis process that automatically discovers and creates new log sources from events. Traffic analysis tries to identify the log source by analyzing the event payloads. At minimum, 25 events are required to identify a log source. If the log source cannot be identified by traffic analysis after 1,000 events, then JSA abandons the auto discovery process. When a log source cannot be identified by the event payload and reaches the maximum threshold for traffic analysis, then JSA generates a notification that specifies the IP address of the log source. JSA generates the following notification:
Unable to automatically
detect the associated log source for IP address <IP>
JSA then categorizes the log source as SIM Generic and labels the events as Unknown Event Log.
JSA can auto discover certain log sources, but some supported log sources cannot be detected. Common causes of this notification are:
The device is a newer version than the DSM that JSA supports to parse events.
The device type does not support automatic log source discovery. Review the documentation for your DSM to see whether it is automatically discovered.
The logs might not follow an expected format. A customizable event format or required field might be missing.
The device might be creating an event format due to an incorrect configuration.
The logs are coming from a device that is not an officially supported DSM in JSA.
To resolve the unknown event log:
Review the IP address to determine which device is sending unparsed events. After you identify the device, you can manually create a log source by using the JSA Log Source Management app.
Review any log sources that forward events at a low rate. Log sources with low event rates are a common cause of this notification.
Ensure that auto update downloads the latest DSMs to properly parse events for your JSA system.
Review any log sources that provide events through a central log server. Logs that are provided from central log servers or management consoles might require their log sources to be created manually.
Review the Log Activity tab to determine the appliance type from the IP address in the notification message and manually create a log source in JSA.
What do you do if the product version or device you have is not listed in the DSM Configuration Guide?
Sometimes a version of a vendor product or a device is not listed as supported. If the product or device is not listed, follow these guidelines:
Version not listed - If the DSM is for a product that is officially supported by JSA, but the version that is listed in the JSA DSM Configuration Guide appears to be out of-date, try the DSM to see whether it works. The newer untested versions might also work. In most cases, no changes are necessary, or you might need to make a minor update to the QRadar Identifier (QID) Map. On rare occasions, vendor software updates might add or change event formats that break the DSM requiring an RFE for the development of a new integration. This scenario would be the only one where an RFE is required In either event, open a support ticket for a review of the log source to troubleshoot and rule out any potential issues that are not related to the software version.
Device not listed - When a device is not officially supported, you have the following options:
Open a request for enhancement (RFE) to have your device become officially supported.
Go to the JSA.
Log in to the support portal page.
Click the Submit tab and type the necessary information.
If you have event logs from a device, it helps if you attach the event information and include the product version of the device that generated the event log.
Write a log source extension to parse events for your device. For more information, see Log Source Extensions.
You can use content extensions for sending events to JSA that are provided by some third-party vendors. They can be found on the IBM Security App Exchange.