3 Replies Latest reply on May 28, 2015 5:45 AM by rhinomike

    Unknown Messages Export from ELM

    michal_be

      Hello guys,

       

      I would like to export all not parsed messages which are visible on ESM us unknown to one file based log source type.

      Is there any command how to do that?

        • 1. Re: Unknown Messages Export from ELM
          rhinomike

          No that I am aware.

           

          But you may want to add them into the "Unknown events" bucket (set a data source "Support Generic Syslogs" to "Log "unknown syslog" event").

          • 2. Re: Unknown Messages Export from ELM
            michal_be

            Hi Rhinomike,

             

            I did it already. I would like to export only all uknown messages to one file. I was possible to do on RSA enVision SIEM product. I do not understand why such simply option is to availalbe on McAfee....

             

            Maybe someone else know how to do this? Support suggest mi to open PER case which is totaly absurd in current situation.

             

            I need to start few PER case to complete another one..... ah....

            • 3. Re: Unknown Messages Export from ELM
              rhinomike

              Michael,

               

              I'm affraid PER is the way to go...

               

              I happened to have asked a similar question, that is, to be able to see what rule is triggered by a particular log line without having to search for any particular field of re-ingest the line and I was told to add a fake data source and all source of bizarre recommendations.

               

              Cheers