Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
2
Replies

Edit supplied event parsers

adam_smith
Level 1
Level 1

‎07-01-2009 07:22 AM

Is it possible to edit the supplied event parsers?

I have issue with WIN-SEC-644 where it doesn't seem to be getting the correct username out of the event. It uses "Caller User Name" when I believe it should be using "Target Account Name"

Labels:
0 Helpful
2 Replies 2

eegilbert
Level 1
Level 1

‎07-01-2009 09:24 AM

Hi Adam,

You certainly can edit the parser:

Click: Management->Device Type Management

Scroll down to the Vendor you want to change. In my MARS setup there are three windows based ones to choose from: 2000, 2003 and Generic.

select one to edit then at the bottom right of the page, click on Edit Parser.

Click Device Event ID WIN-SEC-644 and click edit on the bottom right side of the page.

You can now add to the parser any values you wish.

If it were me, I would consider making a copy of the original device type with the Derive From button.

I hope this helps.

Erric

0 Helpful

patwill66_2
Level 1
Level 1
In response to eegilbert

‎07-02-2009 03:49 AM

You say that after clicking edit on the event ID, you can now add to the parser any values you wish. I have never been able to figure that part out. Where do you add additional information or what its parsing. The only things it allows you to do is select the event type. Is it something defined under patterns? Patterns is always blank for me when I click on that tab.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents