ESI Parses log but enVision does not?
Anyone have any idea why enVision parses logs as "unknown" when the ESI tool parses every record successfully? In this particular instance, the same log file not being parsed correctly was imported and used to create the UNX file. The Event Analysis report even shows the header and message being successfully parsed with the data elements in all the correct places. Looking at the events in the Event Viewer I see that the name of the File Reader has been added to the event entries. All of the message types show up under Manage Messages to Parse as well.
Has enVision associated a device type to the device or is the actual device unknown? If the device is unknown then you should manually change it to the correct device type. When enVision samples events it defines the device type by uniquely identifying the events against parsers.
If the device type is correctly identified but the events are uncategorised then I've not seen this before.
Let me know if this helps.
Thanks for your response Patrick. Changing the device type in Manage Monitored Devices was my last step after trying several other things, and at the end of the day, it finally worked. I have more testing to do though this week. Interestingly, these are Oracle logs which RSA supports, but the RSA file reader does not match the delimiters in the log files I get. In fact, I get five Oracle logs, RSA "supports" three of them, and none of the RSA file readers match. So I have to build custom parsers for all five log types.