Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Edit supplied event parsers

Is it possible to edit the supplied event parsers?

I have issue with WIN-SEC-644 where it doesn't seem to be getting the correct username out of the event. It uses "Caller User Name" when I believe it should be using "Target Account Name"

2 REPLIES
New Member

Re: Edit supplied event parsers

Hi Adam,

You certainly can edit the parser:

Click: Management->Device Type Management

Scroll down to the Vendor you want to change. In my MARS setup there are three windows based ones to choose from: 2000, 2003 and Generic.

select one to edit then at the bottom right of the page, click on Edit Parser.

Click Device Event ID WIN-SEC-644 and click edit on the bottom right side of the page.

You can now add to the parser any values you wish.

If it were me, I would consider making a copy of the original device type with the Derive From button.

I hope this helps.

Erric

New Member

Re: Edit supplied event parsers

You say that after clicking edit on the event ID, you can now add to the parser any values you wish. I have never been able to figure that part out. Where do you add additional information or what its parsing. The only things it allows you to do is select the event type. Is it something defined under patterns? Patterns is always blank for me when I click on that tab.

140
Views
0
Helpful
2
Replies