Please create or update the file security.keymap.csv with the appropriate keys for the event.
The example in the documentation appears to be outdated and I spent some time trying to work through how to get the keymap take.
Here's the error message I started with:
[2017-06-15 18:56:55,635][WARN ][default.com.arcsight.agent.au.w][getKeyValuePairs] Found  keys to be missing for an event with Event ID = , Event Log Type = [Security], Event Source = [Microsoft-Windows-Security-Auditing], for Microsoft Windows keymap family = [Windows 2012 R2]. Please create or update the file [windowsfg/windows_2012/security.keymap.csv] with the appropriate keys for the event.
Notice this is specifically for R2...
I ran a cef destination with Raw Events enabled to get the key value pairs. The documentation says:
Example entries would be as follows:
"528","Successful Logon","User Name","Domain","Logon ID","Logon Type","Logon Process","Authentication Package","Workstation Name","Logon GUID","Caller User Name","Caller Domain","Caller Logon ID","Caller Process ID","Transited Services","Source Network Address","Source Port"
"528","Successful Logon","User Name","Domain","Logon ID","Logon Type","Logon Process","Authentication Package","Workstation Name","Logon GUID","Caller User Name","Caller Domain","Caller Logon ID","Caller Process ID","Transited Services","Source Network Address", "Source Port","Message:A logon attempt was successful"
I found quoting every key didn't work. Also, since this is Windows 2012 R2, the keymap file needed to be named security.keymap.r2.csv - still went in /current/user/agent/fcp/windowsf/windows_2012/. The one for 2012 base build would just be security.keymap.csv, in the same directory.
Here is the finished product that addressed the error completely - it was the last four that were missing, I think, but you have to add all the keys from the event:
4688,"A new process has been created.",Subject: Account Name,Subject: Account Domain,Subject: Logon ID, Process Information: New Process ID,Process Information: New Process Name,Process Information: Token Evaluation Type,Process Information: Created process ID,Message,Key,Key,Key,Key,Key
Here's the raw cef event - I reformatted it a bit so that the keys involved in the error are readable, and in bold. They are order dependant so list them in the csv as they occur in the raw event.
CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4688|Security ID|Low| eventId=4334 externalId=4688 msg=0x1fe0 rawEvent=
WindowsVersion\=Windows Server 2012 R2&&
WindowsKeyMapFamily\=Windows 2012 R2&&
WindowsParserFamily\=Windows 2012 R2|2012|8&&
Subject: Account Name\=S-1-5-18&&
Subject: Account Domain\=MYDOMAIN$&&
Subject: Logon ID\=MYUID&&
Process Information: New Process ID\=0x3e7&&
Process Information: New Process Name\=0x13c8&&
Process Information: Token Evaluation Type\=C:\\Windows\\System32\\conhost.exe&&
Process Information: Created Process ID\=TokenElevationTypeDefault (1)&&
categorySignificance=/Informational categoryBehavior=/Execute/Start categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Resource/Process art=1497564990772 cat=Security deviceSeverity=Audit_success rt=1497564078000 dhost=MY.HOST.NAME cs2=Detailed Tracking:Process Creation cs1Label=Accesses cs2Label=EventlogCategory cs3Label=New Process ID cs4Label=Process Command Line cs5Label=Creator Process ID cs6Label=Process Information:Token Elevation Type cn1Label=LogonType cn2Label=CrashOnAuditFail cn3Label=Count ahost=mysmartconnectorhost agt=127.0.0.1 agentZoneURI=/All Zones/ArcSight System/Public Address Space Zones/ARIN/127.0.0.0-127.255.255.255 (ARIN) amac=00-00-00-00-00-00 av=184.108.40.20683.0 atz=America/A State at=windowsfg dvchost=MY.HOST.NAME dtz=America/A State _cefVer=0.1 ad.Key=0x0 ad.Process_,InforxUdkVA_~_~ted_,Process_,ID=TokenElevationTypeDefault (1) ad.Key=- ad.Key=- ad.WindowsParserFamily=Windows 2012 R2|2012|8 ad.Key=S-1-0-0 ad.WindowsKeyMapFamily=Windows 2012 R2 ad.Process_,InfornbN1ow_~_~w_,Process_,Name=0x13c8 ad.Subject:_,Account_,Name=S-1-5-18 ad.Key= ad.Process_,Information:_,New_,Process_,ID=0x3e7 ad.Process_,Infor1ma6oQ_~_~valuation_,Type=C:\\Windows\\System32\\conhost.exe ad.Subject:_,Logon_,ID=MYUID ad.WindowsVersion=Windows Server 2012 R2 ad.Subject:_,Account_,Domain=MYDOMAIN$ ad.EventIndex=37691327 aid=3P2B+rVwBABCAD2wwoqXf3Q\=\=
Re: Please create or update the file security.keymap.csv...
Sorry if I am making just a bit of a 'nit pick' but the section;
should probably reflect 'windowsfg' and instead be;
for the securit.keymap.csv and security.keymap.r2.csv
Thanks for the solution.