What to do if log messages are classified as an unknown device type in RSA Security Analytics.
Log Messages are classifieded as unknown in the device.type meta key if they are not understood by RSA Security Analytics. The reasons for this could be:
The log messages are not recognised by the device parser. Ensure that you have subscribed to the lastest parser for your device and that it is deployed and enabled on the Log Decoder device that the logs are being parsed through.
The event source is not configured correctly. See the device specific configurations document for your device on the RSA SecurCare Online portal.
The device is not yet supported. Please check the specific device configuation document for the versions currently supported. If the device is not currently supported, please complete the New Device Request form.
If the device is supported but messages are being classified as unknown then please open a support case with the following information:
The name and manufacturer of the device.
What version of device is it.
Examples of log messages that when imported will be classified as unknown. (You can export these from Security Analytics by going to investigator view -> Searching for unknown logs -> selecting the logs and then use Action -> Export Logs as text format)