Edit supplied event parsers

Unanswered Question
Jul 1st, 2009
User Badges:

Is it possible to edit the supplied event parsers?

I have issue with WIN-SEC-644 where it doesn't seem to be getting the correct username out of the event. It uses "Caller User Name" when I believe it should be using "Target Account Name"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
eegilbert Wed, 07/01/2009 - 09:24
User Badges:

Hi Adam,

You certainly can edit the parser:

Click: Management->Device Type Management

Scroll down to the Vendor you want to change. In my MARS setup there are three windows based ones to choose from: 2000, 2003 and Generic.

select one to edit then at the bottom right of the page, click on Edit Parser.

Click Device Event ID WIN-SEC-644 and click edit on the bottom right side of the page.

You can now add to the parser any values you wish.

If it were me, I would consider making a copy of the original device type with the Derive From button.

I hope this helps.


patwill66_2 Thu, 07/02/2009 - 03:49
User Badges:

You say that after clicking edit on the event ID, you can now add to the parser any values you wish. I have never been able to figure that part out. Where do you add additional information or what its parsing. The only things it allows you to do is select the event type. Is it something defined under patterns? Patterns is always blank for me when I click on that tab.


This Discussion