Hello,
how can we find out from which log source are the events that can not be parsed?
This is not clear from the Incident or RAW log, it only says the collector. Any ideas? Thanks in advance!
Greetings
Martin
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would suggest the easiest way would be to create an Analytic search...
Condition: Event Type = Unknown_EventType. (or simply Event Type CONTAIN Unknown_)
Group By: Reporting IP & Count (Matched Events)
This will display which host is reporting the most Unknown Events and then you can pivot from there to view the raw messages if required.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.