Classification

Rule Name

Rule Type

Common Event

Classification

MsiInstaller Messages 1Base RuleGeneral MsiInstaller InformationInformation
EVID 1029 : Software Install Reboot DeferredSub RuleUpdate Requires RestartInformation
EVID 1033 : Software InstalledSub RuleSoftware InstalledConfiguration
EVID 1034 : Software UninstalledSub RuleSoftware UninstalledConfiguration
EVID 1035 : Software ReconfiguredSub RuleSoftware UpdatedConfiguration
EVID 1038 : Software Install Restart RequiredSub RuleRestart Required To Complete InstallationInformation

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MsiInstaller'/><EventID Qualifiers='0'>1038</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-10-28T18:51:02.000000000Z'/><EventRecordID>709688</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security UserID='_domain\_originUser'/></System><EventData><Data>Cylance PROTECT</Data><Data>1.2.1400.39</Data><Data>1033</Data><Data>2</Data><Data>0</Data><Data>Cylance, Inc.</Data><Data></Data><Binary>7B32453634464335432D393238362D344133312D393136422D3044384145344232323935347D3030303062633430313761373565393131366135383135663834613839363736336434303030303030393034</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider nameMsiInstaller<vendorinfo>Text/String
Eventid1038<vmid>Number
LevelInformation<severity>Text/String
Computer_destinationHostname<dname>Text/String
userid_domain<domain>Text/String
N/A_originUser<login>Text/String
N/ACylance PROTECT<process>Text/String
N/A1.2.1400.39<version>Number