NetWitness Community

AgustinGras · ‎2018-11-07

I have a problem with the parser from the logs from a Windows event source,only with the Security Logs.

In the investigation module i can see the logs, but they have a wrong parser I realised that the header.id meta is wrong, because the "Log type" in the log start with lower case, this said "security" instead of "Security" and because of that those events have a wrong match with the header.id on the parser and the same with the message.id (windows_generic), generating a wrong match with metas.
Sorry for my english, i hope you can help me.
Thank you for your time

EricaChalfin · ‎2018-11-07

Agustin Gras‌,

I've moved your question to the RSA NetWitness Platform" data-type="space‌ space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.

Alternatively, from the RSA Customer Support" data-type="space‌ page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA NetWitness Platform" data-type="space and click Ask A Question. That way your question will appear in the correct space.

Regards,

Erica

EricPartington · ‎2018-11-13

How are these events being collected? wmi or other method?

curious why the events are coming with a lowercase letter rather than uppercase.

NetWitness Community

Wrong parser on Security Windows Logs