RSA Admin

Managing unknown devices - delete them reguarly?

Discussion created by RSA Admin Employee on Oct 12, 2011
Latest reply on Dec 20, 2011 by kumo_parris
How is everyone managing unknown devices, especially those discovered as part of a multi-device's output? Should we be deleting these entries each time we install a new ESU so that newly recognized events get parsed? Or should we just clear them out regularly to save on overhead, recognizing that they will potentially re-appear? My current scenario is a Unix system that had generated two device entries -- one for recognized Unix events and another for a few Unix events that weren't properly recognized yet. The system also runs an Oracle database, which we didn't initially configure to log. When we turned on the Oracle logging (via syslog), all of the Oracle events flowed into the "unknown" device in enVision. It wasn't until we deleted the unknown device that the Oracle events began to be parsed at all. Should I have been able to change the unknown device's settings to "Oracle" and set it Active to have the Oracle events properly parsed?

Outcomes