Microsoft MSI Installer events - Parser Overrides


This is an early version of a MSI Installer parsing file that should cover a number of scenarios for logs that include MSIInstaller information.  I scraped some data off of a few thousand Windows devices and referenced a number of Microsoft Technet and MSDN articles.

You will receive log messages similar to 'Windows Installer reconfigured the product. Product Name: Adobe Flash Player ActiveX. Product Version: Product Language: 1033. Reconfiguration success or error status: 0.'.

One of the best resources for this data was at

This is a huge file because it was simpler to build it out this way than scrunching together conditional mappings and building files later. Version '2' of this document will include mapping the name of the files, MSI filenames, etc, to various fields.

I am hoping to just scrape more data from my environment before I go that far, but I will release v2 for everyone soon.

Content is licensed under MIT license - You can do whatever you want with this as long as you include a copy of the license (Embedded in the file).

Installlation instructions are simple: Just copy this file onto $ARCSIGHT_HOME\current\user\agent\fcp\windowsfg\windows_2008 folder as filename '' (for forwarded events).

Enjoy, Arcsighters!

Comment List