Hello everybody,
i am facing problem with Windows logs. I am trying to monitor Windows password reset events, but SA cannot parse whole message.
It looks like nothing more then header have been parsed.
Log looks like:
============================================
%NICWIN-4-Security_4724_Microsoft-Windows-Security-Auditing: Security,rn=1784170698 cid=0x00003600 eid=0x00001274,Wed Mar 19 10:01:38 2014,4724,Microsoft-Windows-Security-Auditing,None,Success Audit,dc01.domain.local,User Account Management,,An attempt was made to reset an account's password. Subject: Security ID: DOMAIN/admin-user Account Name: admin-user Account Domain: DOMAIN Logon ID: 0x1eeb24a Target Account: Security ID: DOMAIN/john.doe Account Name: john.doe Account Domain: DOMAIN
============================================
In ESI it looks OK. Everything is parsed as it should be.
But when I try to look at log in SA there is just this:
============================================
%NICWIN-4-Security_4724_Microsoft-Windows-Security-Auditing: Security,rn=1784784984 cid=2620 eid=648,Wed Mar 19 13:39:00 2014,4724,Microsoft-Windows-Security-Auditing,,,dc01.domain.local,13824,,
Parsed META:
| sessionid | = | |
| time | = | 2014-03-19T14:42:41.0 |
| size | = | |
| medium | = | |
| device.type | = | |
| lc.cid | = | |
| forward.ip | = | |
| device.ip | = |
============================================
I also tryed to modify xml for windows to avoid non-compatible variables, but it didn't help me 
Here is modified parser for this message:
============================================
<MESSAGE
level="6"
parse="1"
parsedefvalue="1"
tableid="85"
id1="Security_4724_Microsoft-Windows-Security-Auditing"
id2="Security_4724_Microsoft-Windows-Security-Auditing"
eventcategory="1402040100"
summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"
content="<event_description> Subject: Security ID: <uid> Account Name: <username> Account Domain: <domain> Logon ID: <sessionid> Target Account: Security ID: <domain_id> Account Name: <c_username> Account Domain: <c_domain>"/>
============================================
(Header 0004 is used to parse header)
Thanks for any help...
Ok, this is a tough one.
SA differs from envision, for every event not only the parser should exist but meta too. After message is parsed meta is created by concentrator. Concentrator creates meta and you only see in that meta in Investigator.
This meta generation depends on index-concentrator-custom.xml and index-concentrator.xml on concentrator configs.
It looks like this:
<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="Administrator" level="IndexValues" name="administrator" format="Text" valueMax="10000" defaultAction="Open"/>
<key description="testfld" level="IndexValues" name="testfld" format="Text" valueMax="10000" defaultAction="Open"/>
</language>
So if you/rsa even used a content 2.0 table and it parses in ESI/Envision, not all of the values could be displayed in Investigator.
Moreover there is an envision-SA field mapping, and for log parsers you should use envision fields from content 2.0 table.
It is found in /etc/netwitness/ng/envision/etc/table-map.xml. And you should map (in mind, for example: envisionName="sport" nwName="ip.srcport") your envision fields to sa fields to know which values to look for /add for indexing on concentrator.
Moreover2 - there are absolutely no docs on this 
That's how I see it, correct me if I'm wrong, maybe in 10.3 there's everything backwards 
Hello guys,
thanks for your ideas!
I tried to edit "Render locale" to en-US, but unfortunately nothing has changed
Variables'm in my own parser already exist in the table-map.xml, but there has been no change - still will parse only header...
I'll try to contact support and then will let you know.
