Microsoft MSI Installer events - Parser Overrides

File uploaded by seniorj@bennettjones.com on Aug 25, 2014
Version 1Show Document
  • View in full screen mode

This is an early version of a MSI Installer parsing file that should cover a number of scenarios for logs that include MSIInstaller information.  I scraped some data off of a few thousand Windows devices and referenced a number of Microsoft Technet and MSDN articles.

 

You will receive log messages similar to 'Windows Installer reconfigured the product. Product Name: Adobe Flash Player 14.0.0.145 ActiveX. Product Version: 14.0.0.145. Product Language: 1033. Reconfiguration success or error status: 0.'.

 

One of the best resources for this data was at http://msdn.microsoft.com/en-us/library/aa368560(v=vs.85).aspx

 

This is a huge sdkkeyvaluefilereader.properties file because it was simpler to build it out this way than scrunching together conditional mappings and building map.properties files later. Version '2' of this document will include mapping the name of the files, MSI filenames, etc, to various fields.

 

I am hoping to just scrape more data from my environment before I go that far, but I will release v2 for everyone soon.

 

Content is licensed under MIT license - You can do whatever you want with this as long as you include a copy of the license (Embedded in the sdkkeyvaluefilereader.properties file).

 

Installlation instructions are simple: Just copy this file onto $ARCSIGHT_HOME\current\user\agent\fcp\windowsfg\windows_2008 folder as filename 'hardwareevents.msiinstaller.sdkkeyvaluefilereader.properties' (for forwarded events).

 

Enjoy, Arcsighters!

Outcomes