KBI 310706 Issue Addressed: W2012 File Audit Events Are Wrongly Parsed
Version
Argent Advanced Technology 3.1A-1308-A or below
Date
Tuesday, 15 Oct 2013
Summary
Windows 2012 Server has changed security log format related to file audit events. They could not be parsed properly in Argent AT 3.1A-1308-A or earlier versions
Technical Background
Argent AT relies on the Windows security log format to determine the meaning of each insertion string. File audit events are not a single event, but a sequence of events that related through handle ID. When handle ID and other vital fields are interpreted wrongly, file audit events cannot be understood properly
Resolution
Upgrade to Argent Advanced Technology 3.1A-1310-A or later