[JSA] Events appear as Unknown or are incorrectly parsed

  [KB15214] Show Article Properties


Summary:
Juniper Secure Analytics (JSA) appliances display in the Event Viewer events that are sent from sensor devices. The JSA appliance should have the latest patch, the latest AutoUpdate ,and the latest DSM in order to correctly parse the events. 
Symptoms:
​Events are being parsed and displayed as 'Unknown' in the Log Activity Event Viewer
Cause:
  1. Manufacturer actually chose to send event types with the field label of 'Unknown'. 
  2. Outdated or missing DSMs can cause events to be unrecognized by JSA or parsed incorrectly.
  3. Running old versions of code.
  4. Auto discovery can fail
  5. Incorrect device configuration
Solution:
In most cases, the category of 'Unknown' means we know the device but cannot parse the events.  For the above listed situations, please see correlating resolutions below:
  1. In this case, the manufacturer made a development choice to use terminology that might be confusing for STRM/JSA users.  If the field name in the payload is actually 'Unknown', then JSA correctly parsed the log and is working as designed.  If you would like to have that changed, contact the vendor, report it as a defect, and request for them to use a different label.
     
  2.  Syslog vendors are constantly changing and updating the formatting of their syslog event messaging and each may differ from other vendors.  In order for JSA to interpret each vendor syslog message accurately, a Device Support Module (DSM) or PROTOCOL file must be installed that provides the correct mappings.  Since the messaging changes often, so too must the DSMs and PROTOCOLs be updated to include these changes.  You can check the DSM guide for supported devices and how to configure them.  New DSMs and PROTOCOLs can be obtained through autoupdates or downloading and installing manually.  If your console has access to the internet, we highly recommend that you enable autoupdates to keep your DSMs and PROTOCOLs updated, as well as allowing you to get the latest QIDs, scanners, and vulnerability information.  If your console does not have access to the internet, you can setup your own internal update server or download the latest DSM from Juniper's download site as needed.  The Admin guide contains instructions for manually installing DSMs, autoupdates, and for configuring an update server.
     
  3. Always stay patched up to the latest version of code available. DSMs and PROTOCOLs are only updated for currently supported versions of code.
     
  4. If autodiscovery is enabled, it requires a certain number of events to come in at a certain rate.  If the events coming in are less than that expectation, association with that log source may fail and the events get categorized as 'unknown'.  If this is the case, try manually creating the log source as a workaround.
     
  5. Log source configuration is also critical.  The wrong log source type or identifier can also lead to incorrectly parsed events.  For the syslog header to be RFC compliant, it must contain a PRI, followed by the timestamp, which is then followed by either a hostname or ip address.  The log source identifier must match whichever is in the syslog header, either hostname or ip address.
     

If you have determined your device is supported, checked for resolution of above items, but the events are still not parsing as expected.  Please open a support case and attach the following items to it for investigation:
  1. ​An xml export from JSA filtered for the problem events
  2. A screenshot of the detailed view of the log source configuration
  3. A set of logs from the console: /opt/qradar/support/get_logs.sh
Modification History:
2019-05-22: Updated list of potential causes as well as the related solutions.
Related Links: