lsmaint -scanUnknown and Partner Created Content
I'm working with one of the Partner Created event sources and find that a few events are not being parsed. I tried running 'lsmaint -scanUnknown' to collect up the unknown/undefined events, but it returned an error on the partner event source, indicating it was unsupported.
Does the partner have to do anything special to make their setup work with lsmaint -scanUnknown, or is the command reserved soley for RSA provided sources?
Thanks Nathan, I've been exporting events with lsdata as I notice them. The Events by Event Type GRAPH seems to be the best way to track down the undefineds. A bit cat-and-mouse at this point, but improving.
The following lsdata command will retrieve ONLY the undefined messages for specified device ip and time range.
Here is sample command that will retrieve only undefined message from n.n.n.n device ip for time range of start and end time of collection (basically since the time collection began until current time).
lsdata -events syslog -devices n.n.n.n(undefined) -time start end
Thanks jward. I tried that lsdata command on a few of our multi-devices that are populating entries into an "Unknown" device type as well as their regular types, and oddly found NO events.
I can see events in the 'unknown' device type at a specific IP in the Event Viewer. But 'lsdata ... -devices x.x.x.x(undefined)' returns no events for the same device IP and time frame.
This doesn't seem to be specific to multi-devices, as I can pull undefined messages off of several of our multi-device source IPs.