When i check the SIEM,I found that the event name/the rule message is replaced with "0".
I want to understand more about this Please help me out.
Please find below the screenshot.
Thanks in advance.
This can happen after rules have been deleted. The events associated with those rules appear with the '0' as the message.
I have also seen this as a side effect of deleting rules where events that were not impacted by the rule deletion, i.e. their rules were not deleted, also show up as '0'. In this case it corrected itself as messages for the rules were subsequently parsed as new events arrived.
Hope that helps.
But on a specific Data Source.
"Support generic syslogs" field is set to "parse as generic syslog".
Can this also be a reason?
If you start to clean up the auto-generated rules then yes this can be the reason. The approach I take is to first delete the ESM events associated with the auto-learned rules and then delete the auto-learned rules themselves. You can still get the transient '0' rule messages but, in my experience, they clean themselves up.
no this is not the reason for the 0 description.
This will only happens if you delete a autolearned rule or a Correlation rule and in special times if you delete Parser rules.