I was working with a customer that suddenly change the format of the logs that are being sent to Netwitness using File Collection. As result of the change in the logs, the events were still identified as a specific device, but the were not parsed. To avoid this kind of situation, I have created an ESA rule to alert the customer when an event is parsed as a device, but not correctly parsed.
@Description('Dispositvos no unknown que tienen meta word')
SELECT * FROM Event(
(device_type.toLowerCase() NOT IN ( 'unknown' )
word IS NOT NULL)
) GROUP BY device_type output first every 24 hours;
The alert evaluates that the device type is not unknown and the metakey word is present (wich means that the message was not parsed using a message id). It outputs only one alert per device every 24 hours just to not flood the netwtiness administrator.
I hope that you may find this useful.