For an introduction to Normalization Rules, see How does Log-Message Normalization work?. Each Normalization Rule defines a .NET regular expression that controls how TLC 'normalizes' log messages (i.e. creates Normalized Messages).
To define a regular expression for a Normalization Rule:
1. | In the side bar, select Resources >Configuration Manager. |
2. | In the side bar of the Configuration Manager, select Normalization >Rules. |
TLC presents your Normalization-Rule Groups in the workspace table.
Tip |
You can sort, group, and filter the contents of tables. For more information, see Working with Tables). |
---|
3. | Under Normalization Rules, select the group containing the rule. |
4. | In the workspace, double-click the rule. |
5. | In the Normalization Rule properties dialog, select the Rule Details tab. The Complete regular expression field displays the rule's regular expression. |
6. | Click Rule Editor. |
7. | In the Rule Editor (see Table 88), enter/edit the .NET regular expression in the Regular expression field. |
To add a Normalization Alias to the regular expression:
a. | In the Rule field, insert your cursor in the position where you want to insert the Alias. |
b. | From the Alias drop-down, select an Alias. |
c. | From the Insert drop-down, select one of the following options: |
Insert Dynamic Value inserts a variable for the Alias value (e.g. %evt_cls_name%) defined in the Alias properties (see Working with Aliases). If the Alias value changes in the future, the value will also update here automatically.
Insert Static Value inserts the Alias value currently defined in the Alias properties. If the Alias value changes in the future, the value presented here will remain unchanged.
Note |
If the WinLog Collector is selected in the Collector Type field of the Settings tab, the Windows Event Filter tab determines if TLC normalizes a log message. For more information, see Table 87. |
---|
8. | To test the regular expression, enter the content of a log message in the Test Message tab and click Test RegEx. If the expression is valid, TLC presents the output in the Test Output field. If no output is returned, the Test History tab presents a description of the error, along with remedial steps. |
Tips |
If you search the Audit Logger for 'raw' log messages (see Querying the Audit Logger for 'Raw' Log Messages), you can then copy the content of a message from the search results to the Test Message tab. Tripwire recommends that you create and test your regular expressions with a regular-expression parser, such as RegEx Buddy. |
---|
9. | To estimate the average execution time for the rule, click Test Performance. |
Tips |
To simplify troubleshooting of a regular expression, Tripwire suggests that you test the expression whenever you add a new column. If you click Test Performance and the rule's estimated processing time exceeds 1,000 milliseconds, the rule may negatively impact the performance of TLC. |
---|
Field/Tab |
Description |
---|---|
Alias |
A drop-down with Normalization Aliases that may be added to the Rule field. |
Regular expression |
The complete regular expression for the rule. The expression parses specified name/value pairs in the content of log messages, and specifies the columns in which the parsed values will be saved in Event-Management Databases. |
Insert |
To insert a static, literal value for an Alias in the Rule field, selectInsert Static Value. To insert a variable for an Alias, selectInsert Dynamic Value. In this case, TLC will automatically update the Alias' value if you change the properties of the Alias in the future. |
Base RegEx tab |
Defines the core regular expression for the command. |
Find-and-Replace tab |
See Working with Find-and-Replace Values in Regular Expressions. |
Test Message tab |
To test the rule's regular expression, enter a log message in this tab and click Test. |
Test History tab |
Presents information about previous tests run on the rule's regular expression and estimates of the rule's performance. |
Test Output |
Displays the output when you test the regular expression. |