Assigning Classification Tags to a Normalization Rule

With this procedure, you can manage the ClassificationThe process of categorizing log messages with Classification Tags. Tags assigned to a Normalization RuleDefines a regular expression that can be used to normalize log messages generated by a specific type of Log SourceAny log-generating application, operating-system service, database instance, or device from which TLC collects log messages.. (see How does Classification work?). If the Rules Engine - Display Classification Condition setting is enabled in your Manager's properties (see Changing a Manager's Advanced Settings), you can also define a regular-expression condition for the Tags assigned to user-defined NormalizationThe process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Rules. If the rule has a condition, then TLC only associates the rule's Tags with a 'raw' log messageA data record generated by a Log Source and collected by TLC. if the message satisfies the criteria specified by the condition's regular expression.

To work with the Classification Tags assigned to a Normalization Rule:

1.

In the side bar, select Resources >Configuration ManagerIn the Configuration Manager, you can create and configure TLC Resources (Assets, AssetAn object in TLC that represents a Log Source from which TLC collects log messages directly. Groups, Managers, Locations, Event1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected from a Log Source.-Management Databases), normalization objects (Normalization Rules, Aliases, and Normalized-Message Filters), and correlation objects (CorrelationThe examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients. Engines, Rules, Lists, and Actions)..

2.

In the side bar of the Configuration Manager, select Normalization >Rules.

TLC presents your Normalization-Rule Groups in the workspace table.

a.

ClickAdd.

To remove a Classification Tag from the rule, select the Tag's line and clickRemove.

To add a Classification Condition:

To test a Classification Condition defined by a regular expression:

The Output field indicates if the log message passed or failed the condition.