Unable to determine associated log source

Explanation

When events are sent from an undetected or unrecognized device, the traffic analysis component needs a minimum of 25 events to identify a log source.

If the log source is not identified after 1,000 events, the system abandons the automatic discovery process and generates the system notification. The system then categorizes the log source as SIM Generic and labels the events as Unknown Event Log.

User response

Review the following options:

• Review the IP address in the system notification to identify the log source.
• Review the Log Activity tab to determine the appliance type from the IP address in the notification message and then manually create a log source.

  Ensure that the Log Source Identifier field matches the host name in the original payload syslog header. Verify that the events are appearing on the device by deploying the changes and searching on the manually created log source.

• Review any log sources that forward events at a low rate. Log sources that have low event rates commonly cause this notification.
• To properly parse events for your system, ensure that automatic update downloads the latest DSMs.
• Review any log sources that provide events through a central log server. Log sources that are provided from central log servers or management consoles might require that you manually create their log sources.
• Verify whether the log source is officially supported. If your appliance is supported, manually create a log source for the events and add a log source extension.
• If your appliance is not officially supported, create a universal DSM to identify and categorize your events.