This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-10-12 12:23 PM

Managing unknown devices - delete them reguarly?

How is everyone managing unknown devices, especially those discovered as part of a multi-device's output? Should we be deleting these entries each time we install a new ESU so that newly recognized events get parsed? Or should we just clear them out regularly to save on overhead, recognizing that they will potentially re-appear? My current scenario is a Unix system that had generated two device entries -- one for recognized Unix events and another for a few Unix events that weren't properly recognized yet. The system also runs an Oracle database, which we didn't initially configure to log. When we turned on the Oracle logging (via syslog), all of the Oracle events flowed into the "unknown" device in enVision. It wasn't until we deleted the unknown device that the Oracle events began to be parsed at all. Should I have been able to change the unknown device's settings to "Oracle" and set it Active to have the Oracle events properly parsed?
0 Likes
Reply
5 Replies
RSAAdmin
Beginner
Beginner
‎2011-11-28 12:16 PM

This is a good question that I am sure plagues most Envision admins. What I do for the moment is just set aside unknown devices by: 1. Mark them as active/disabled and not to analyze. 2. I change the name so I can easily tell that its something I don't care about (I append UMMD to mine, which stands for Unknown Messages Multi Device) I almost always see some kind of Unknown device come in where we have a multi-device. The best option (and I always mean to do this, but rarely have the time) is to get those messages out, update the XMLs via ESI and re-import the messages. That becomes something of a whack-a-mole game, but then you know you are getting most of the messages parsed anyway. In theory if you are really on top of it, you may get to a point where they don't show up anymore as unknown and everything is parsing 100%.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-12-01 08:36 AM

I used to delete them every so often, but then stopped doing it because there really isn't much to gain from it  In a situation with a multi-device you may find it useful to have the log messages from the unknowns as they can include undefined messages that you may want to have defined.  Other than that, I have tended to just leave well enough alone

 

Paul

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-12-07 02:21 PM

In a multi-device scenario once Unknown device type is discovered the system will no longer auto discover any new device types for that IP. Therefore, one should manually change the Unknown to the correct type or remove the Unknown type so the system will try to auto discover the correct type.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-12-08 11:04 AM

Thanks jward, lack of discovery is a very good point.  I have deleted a number of Unknowns this morning and had a few re-appear as correct entries, probably thanks to additions made in recent ESU's.

0 Likes
Reply
RobParris
Beginner
Beginner
In response to RSAAdmin
‎2011-12-20 02:56 PM

We were also having an issue with these and still do. Our method was to also change the device type, however, when doing that you have to restart the collector service. If you don't, you'll end up with those "Unknown" devices getting discovered again and "Unknown" and this just creates a lovely cycle. We just recently found out about having to recycle the collector service. I thought I was going crazy as these same "Unknowns" kept coming back.
0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.