FortiSIEM Discussions
Martin_Sa
New Contributor

Analyze incident "FortiSIEM: Too Many Unknown Events"

Hello,

how can we find out from which log source are the events that can not be parsed?

 

This is not clear from the Incident or RAW log, it only says the collector. Any ideas? Thanks in advance!

Greetings
Martin

1 REPLY 1
cdurkin_FTNT
Staff
Staff

I would suggest the easiest way would be to create an Analytic search...

 

Condition:  Event Type = Unknown_EventType.  (or simply Event Type CONTAIN Unknown_)

 

Group By: Reporting IP & Count (Matched Events)

 

This will display which host is reporting the most Unknown Events and then you can pivot from there to view the raw messages if required.

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"