Hi, Steven,

Wanted to respond to this after checking with the team. The Microsoft Windows Event Log- Unified SmartConnector parser version can be configured, but it is an operation that should be done with the guidance of ArcSight Customer Support in order to avoid unwanted results. We recommend that anyone following along at home consult first with ArcSight Customer Support for the full context of when and how to modify Microsoft Windows Event Log- Unified SmartConnector parser versions.

Out of the box with ArcSight Express, the Microsoft Windows Monitoring content is triggered by Microsoft Windows events from the Microsoft Windows Event Log- Unified SmartConnector with parser version 1. For ArcSight Express 4.0, make sure this SmartConnector is installed and configured.

It would be nice if the document actually stated how to change the parser version.

The Microsoft Windows Monitoring content is triggered by Microsoft Windows events from the Microsoft Windows Event Log- Unified SmartConnector with parser version 1.

To enable parser version 1 on the SmartConnector:

1 From the computer on which the Microsoft Windows Event Log – Unified

SmartConnector is installed, open a command window.

2 Browse to the $ARCSIGHT_HOME\current\bin directory.

3 Enter the command:

arcsight connectorsetup

4 When prompted to enter Wizard mode, click No.

5 In the Agents area of the Configuration Tool window, select the windowsfg

connector.

6 From the Options menu, select Show Internal Parameters

7 In the Parameters area, scroll to the fcp.version parameter.

8 For Microsoft Windows Monitoring, select 1 as the parser version.

9 Click OK.

.