Maximiliano Cittadini

Poor mssccm parsing?

Discussion created by Maximiliano Cittadini on Sep 7, 2018
Latest reply on Sep 10, 2018 by Eric Partington

recently one of my customers wanto to add a Microsoft System Configuration Center Manager to Netwitness 10.6. He made the configuration of the mssccm server and I have done the configuration of the collection. Everything seems to be working fine but when I want to view the events, I saw the parser only parse a few metadatas and almost all of the raw message is placed to the event.desc meta lossing sight about the source username, destination username and the action taken. 

Could anyone tell me if there is something wrong with the parser or is just the way of that parser works?

These are two screenshots of an event (account modification) where you may see user dst, user src and roles, but no one of this data is parsed well

 

raw event

 

 

thanks in advance for your help

Outcomes