I'm trying to add some valuemapping to the winevent_nic parser. I want to replace the logon windows types and status/substatus'. Here is what I have as my valuemaps in the parser.
<VALUEMAP
name="resultcode"
default="undefined"
keyvaluepairs="0xC0000064='User name does not exist'|0xC000006A='User name is correct but the password is wrong'|0xC0000234='User is currently locked out'|0xC0000072='Account is currently disabled'|0xC000006F='User tried to logon outside of week or time of day restrictions'|0xC0000070='Workstation restriction'|0xC0000193='Account Expiration'|0xC0000071='Expired password'|0xC0000133='Clocks between DC and other computer too far out of sync'|0xC0000224='User required to change password at next logon'|0xC0000225='AEvidently a bug in Windows and can be ignored'|0xC000015B='The user has not been granted the requested logon type/right at this machine'" />
<VALUEMAP
name="logon_type"
default="undefined"
keyvaluepairs="2='Interactive'|3='Network (i.e. mapped drive)'|4='Batch (i.e. schedule task)'|5='Service (i.e. service start up)'|7='Unlock (i.e. unattended workstation with password protected screen saver)'|8='Network Cleartext (i.e. Microsoft IIS using basic authentication)'|10='Remote desktop'|11='Logon with cached credentials'" />
I've done this before on other parsers, but this one just isn't playing nice. Anyone have an idea on why it could not be working?
