Custom parser difficulties.

Unanswered Question

I am trying to parse a Windows 2008 '4624' event log entry as a proof-of-concept before parsing other high-priority Windows Server 2008 events.

I have created a 'parser' which will work flawlessly when using the 'test' feature within Mars 6.x.

However I am unable to get this 'parser' to interpret incoming events from the server.

* Events are being forwarded from the server using snare. 

* Copying the  event from 'Event raw messages' report output (where "Parsing error or event type unknown:" has been pre-pended to the message)

  and pasting directly into the parser test screen, the message will be successfully parsed by the test parser.

* I have configured the device as a 'windows-generic' device but have NOT configured the MARS to receive OR pull logs from the device - hence, the only software configured on the device is the custome framework I have created.

Anyone any thoughts or have I missed something very simple?

Kind regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mykola Srebnyuk Thu, 03/04/2010 - 02:34



1. To create a new one device type (as example win2008 generic).

2. Create a new device event type (add to this NEW event type).

3. Then create parser's patterns.

4. Then create new device (selest OS Windows --->>> Receive events ), go to tab Reporting applications and add a new one created device type (as example Win 2008 generic)

5. Thats all.

P.S In snare please enable syslog header. Thats all.

Kind regards,



This Discussion