AnsweredAssumed Answered

Valuemap not working on parser

Question asked by Julian Macias on Jan 29, 2018
Latest reply on Jan 30, 2018 by Julian Macias

I'm trying to add some valuemapping to the winevent_nic parser. I want to replace the logon windows types and status/substatus'. Here is what I have as my valuemaps in the parser. 

 

<VALUEMAP
name="resultcode"
default="undefined"
keyvaluepairs="0xC0000064='User name does not exist'|0xC000006A='User name is correct but the password is wrong'|0xC0000234='User is currently locked out'|0xC0000072='Account is currently disabled'|0xC000006F='User tried to logon outside of week or time of day restrictions'|0xC0000070='Workstation restriction'|0xC0000193='Account Expiration'|0xC0000071='Expired password'|0xC0000133='Clocks between DC and other computer too far out of sync'|0xC0000224='User required to change password at next logon'|0xC0000225='AEvidently a bug in Windows and can be ignored'|0xC000015B='The user has not been granted the requested logon type/right at this machine'" />

<VALUEMAP
name="logon_type"
default="undefined"
keyvaluepairs="2='Interactive'|3='Network (i.e. mapped drive)'|4='Batch (i.e. schedule task)'|5='Service (i.e. service start up)'|7='Unlock (i.e. unattended workstation with password protected screen saver)'|8='Network Cleartext (i.e. Microsoft IIS using basic authentication)'|10='Remote desktop'|11='Logon with cached credentials'" />

 

I've done this before on other parsers, but this one just isn't playing nice. Anyone have an idea on why it could not be working?

Outcomes