A
Так в итоге и не могу понять, почему формула не работает. И через ptkb, и через cli, нормализует. Сервис ошибок не выдает. Все обязательные поля тоже присутствуют...
TEXT="<{NUMBER}>{time=DATETIME} {event_src.hostname=HOSTNAME|event_src.ip=IPV4} {$kv=KEYVALUE('\\t','=')}"
COND=($kv['EventID']=="4624" or $kv['EventID']=="4625")
id="Domain_IBM_WinCollect_auth"
action="login"
object="host"
subject="account"
event_src.title="WinCollect"
event_src.vendor="IBM"
event_src.category="SIEM"
src.hostname=$kv['Computer']
src.ip=$kv['OriginatingComputer']
switch $kv['EventID']
case 4624 status="success"
case 4625 status="failure"
endswitch
submessage("TEXT","message",$kv['Message'])
subformula "message"
TEXT='An account was successfully logged on. Subject: Security ID: {WORD|NUMBER} {WORD|} Account Name: {STRING} Account Domain: {STRING} Logon ID: {STRING} Logon Type: {NUMBER} Impersonation Level: {WORD} New Logon: Security ID: {STRING} Account Name: {subject.name=STRING} Account Domain: {WORD} Logon ID: {STRING} Logon GUID: {STRING} Process Information: Process ID: {STRING} Process Name: {STRING} Network Information: Workstation Name: {STRING} Source Network Address: {src.ip=IPV4|"-"} {REST}'
endsubformula
importance="medium"
msgid=$kv['EventID']