Parser override for Windows 2008 Kerberos events

Document created by gportnoy on Jun 18, 2010Last modified by sjdick@novanthealth.org on Feb 3, 2015
Version 2Show Document
  • View in full screen mode

This parser override will override the sourceAddress and in some rare cases sourceHostName for Kerberos-related events (Event IDs 4768, 4769, 4770, 4771, 4772) on Windows 2008. Hopefully this will only be needed temporarily, until Dev. integrates this into the parser code. This override is necessary in order to parse out the sourceAddress from the native Win2008 event when the Client Address is represented in IPv6 equivalent format (::ffff:10.0.0.1) or when the request comes from local machine and is represented by (::1)

 

Place this file (or append to one which already exists) in :

current\user\agent\fcp\windowsfg\windows_2008\

or

current\user\agent\fcp\windowsfg\windows_2008\

Outcomes