I am trying to parse a Windows 2008 '4624' event log entry as a proof-of-concept before parsing other high-priority Windows Server 2008 events.
I have created a 'parser' which will work flawlessly when using the 'test' feature within Mars 6.x.
However I am unable to get this 'parser' to interpret incoming events from the server.
* Events are being forwarded from the server using snare.
* Copying the event from 'Event raw messages' report output (where "Parsing error or event type unknown:" has been pre-pended to the message)
and pasting directly into the parser test screen, the message will be successfully parsed by the test parser.
* I have configured the device as a 'windows-generic' device but have NOT configured the MARS to receive OR pull logs from the device - hence, the only software configured on the device is the custome framework I have created.
Anyone any thoughts or have I missed something very simple?