To normalize each log message, TLC uses the Normalization Rules assigned to each Asset Group containing the Asset that represents the message's Log Source (see Assigning Normalization Rules to Asset Groups), as well as any rules assigned to the Asset itself (see Table 48).
To display the results of an Audit Logger query in a graphic format:
1. | In the side bar, select Events >Audit Logger. |
2. | In the Audit Logger, select the Query tab. |
3. | From the Output drop-down, select Graph Events - Processed. |
TLC presents some query-criteria tabs at the bottom of the Query Criteria tab, and adds Graph Type and Template drop-downs.
4. | Select a Graph Type and Template. |
5. | Enter your other criteria for the query. |
For default criteria, see Table 75.
For guidance in completing the query-criteria tabs, see Table 82.
Note |
In the Columns tab, you must add at least one column with a text format, and another column with a numeric format. For example, the Event Name column has a text value (i.e. the name of the log message), while the Count column contains whole numbers (i.e. the number of log messages). |
---|
6. | Click Start. |
TLC queries the Audit Logger File Store and presents a graph with the results.
With the buttons along the top of the Graph tab, you can modify and work with the graph.
Tip |
If the query results seem inaccurate or invalid, and you're unable to resolve the issue, you can save the query results in a log file and then forward the file to Tripwire Support for troubleshooting. For more information, see Troubleshooting an Audit Logger Query. |
---|