RSA enVision: How to Extract Unknown or Unparsed Logs

To extract unknown or unparsed logs for an unknown device in RSA enVision, you can run the following at the command prompt of the D-Srv:

%_ENVISION%binlsdata.exe -events syslog -devices unknown:<ip_address> -time <starttime> <endtime> > <outputfile>

For example, if you have an unknown device with IP address and you want to extract 2 days worth of logs and store it in a file called unknown_logs.unx on the root of Drive E:, then you can run the following at the command prompt:

%_ENVISION%binlsdata.exe -events syslog -devices unknown: -time -2D end > e:unknown_logs.unx

The resulting unknown_logs.unx file will contain the unknown log messages (in syslog format) that were collected by enVision.

You can then use this output logfile to develop the enVision event log parser for this device.