how can we find out from which log source are the events that can not be parsed?
This is not clear from the Incident or RAW log, it only says the collector. Any ideas? Thanks in advance!
I would suggest the easiest way would be to create an Analytic search...
Condition: Event Type = Unknown_EventType. (or simply Event Type CONTAIN Unknown_)
Group By: Reporting IP & Count (Matched Events)
This will display which host is reporting the most Unknown Events and then you can pivot from there to view the raw messages if required.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.