This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Windows Events

Anonymous
Not applicable

‎2015-06-21 08:07 AM

Dears,

 

I am facing a problem with windows events,

 

i am getting in the event a field called parsererror: EVENTTIME

 

how can i solve this?

 

 

Capture2.JPG.jpg

Microsoft event ID = 4738

1 REPLY 1

MohammedIsmail
Beginner
Beginner

‎2015-06-24 04:57 AM

looking at the parser xml file entry below, I think the colored parts is causing this error.

a quick guess is that the account expire field is empty or  format is not correct

 

does the parser error appear twice?

can you share sample logs?

 

<HEADER

  id1="0004"

  id2="0004"

  messageid="STRCAT(msgIdPart1, &apos;_&apos;, msgIdPart2, &apos;_&apos;, &apos;Microsoft-Windows-Security-Auditing&apos;)"

  content="%NICWIN-&lt;hlevel&gt;-&lt;Hmessageid&gt;: &lt;msgIdPart1&gt;,&lt;Hlinenum&gt;,&lt;Hday&gt; &lt;Hdatetime&gt;,&lt;msgIdPart2&gt;,Microsoft-Windows-Security-Auditing,&lt;Hevent_user&gt;,&lt;Hevent_type&gt;,&lt;Hevent_computer&gt;,&lt;Hcategory&gt;,&lt;Hdata&gt;,&lt;!payload&gt;"/>

 

 

<MESSAGE

  level="6"

  parse="1"

  parsedefvalue="1"

  tableid="85"

  id1="Security_4738_Microsoft-Windows-Security-Auditing:01"

  id2="Security_4738_Microsoft-Windows-Security-Auditing"

  eventcategory="1402020300"

summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"

content="&lt;@ec_theme:UserGroup&gt;&lt;@ec_subject:User&gt;&lt;@ec_activity:Modify&gt;&lt;@ec_outcome:Success&gt;&lt;@:*SYSVAL($MSGID,$ID1)&gt;&lt;@msg:*PARMVAL($MSG)&gt;&lt;@event_log:*HDR(msgIdPart1)&gt;&lt;@expiration_time:*EVNTTIME($MSG,'%G/%F/%W %N:%U:%O %P',fld8)&gt;&lt;@event_time:*EVNTTIME($HDR,'%B %F %H:%U:%O %W',Hdatetime)&gt;&lt;@id:*HDR(msgIdPart2)&gt;&lt;@event_source:Microsoft-Windows-Security-Auditing&gt;&lt;@event_type:*HDR(Hevent_type)&gt;&lt;@event_user:*HDR(Hevent_user)&gt;&lt;@event_computer:*HDR(Hevent_computer)&gt;&lt;@category:*HDR(Hcategory)&gt;&lt;@fld61:*PARMVAL(username)&gt;&lt;@fld63:*PARMVAL(domain)&gt;&lt;event_description&gt;  Subject:  Security ID:  &lt;sid&gt;  Account Name:  &lt;username&gt;    Account Domain:  &lt;domain&gt;  Logon ID:  &lt;sessionid&gt;    Target Account:  Security ID:  &lt;fld39&gt;  Account Name:  &lt;c_username&gt;  Account Domain:  &lt;c_domain&gt;    Changed Attributes: &lt;space&gt;  SAM Account Name: &lt;user_fullname&gt;  Display Name:  &lt;param&gt; Password Last Set: &lt;fld7&gt; Account Expires: &lt;fld8&gt; Primary Group ID: &lt;groupid&gt; AllowedToDelegateTo: &lt;fld88&gt; Old UAC Value:  &lt;change_old&gt;  New UAC Value:  &lt;change_new&gt;  User Account Control: &lt;fld87&gt; Additional Information:  Privileges &lt;privilege&gt;" />

© 2022 RSA Security LLC or its affiliates. All rights reserved.