- The event in question is being routed to storage because it was not parsed properly as shown in the screen capture. The event was not parsed by the Linux® OS DSM, it just came from the same host or IP. This is common for Linux OS due to the variability in Unix services that can make it into the Linux OS Syslog stream. When the DSM is unable to parse the event, the Event-ID and Event-Category attributes are not parsed for the event. Those two fields are what we use to perform the QID map lookup. If there are no event keys, there is no ability to map the event.
- If the log source in question is an internal type (SIM Audit, SIM Notification, etc...); you cannot remap internal events, this is not supported.
- Log Source types other than Linux can cause the map event button to be greyed out because they are routed to storage and not parsed.
Diagnosing The Problem
Resolving The Problem
In order to map any events we have to do following things:
- Open the unknown events in DSM Editor.
- Write a Regex to capture Event Category and Event ID.
- Based on Event Category and Event ID you can create an Event name.
- You can capture other fields per your requirements.
- After capturing the fields, click Event Mappings to create an Event name and QID.
- Click the Plus "+" button.
- Click Choose QID.
- Provide a High-Level Category and Low-Level Category per your requirement.
- Type in a QID number or part of an event name.
- Click Search.
- Select the event name you want and click OK.
- Give the Event ID and the Event Category for the event you want to map. Make sure these are the same as you have captured with your Regex in Step 2.
- Save the changes, and verify in Log Activity.
You will be able to map events utilizing a different method, even if the Map Events button is greyed out.
Was this topic helpful?
25 September 2020