Event Management

How does Log-Message Normalization work?

Normalization is the process of standardizing a log message for use by Tripwire Log Center (TLC). A log message that has been normalized by TLC is known as a Normalized Message, and a Normalized-Message field is a field that appears in a Normalized Message.

To normalize a log message, your Primary Manager's Normalization Engine uses a Normalization Rule. Each Normalization Rule defines a .NET regular expression that can only be used to normalize log messages generated by a specific type of Log Source.

To simplify the process of creating and editing Normalization Rules, TLC provides an extensive library of pre-defined regular expressions that may be added to your rules. In addition, you can create custom variables (known as Normalization Aliases) to represent partial or complete regular expressions of your own (see Working with Aliases).

Each Monitored Asset in TLC specifies one or more Output Destinations for log messages generated by the Asset's Log Source (see Changing the Output Destinations for a Monitored Asset). An Output Destination is either the Audit Logger, an Event-Management Database, or a Correlation Engine that correlates Normalized Messages. For further details about Output Destinations, see:

Where does TLC store Data?

How does Event Correlation work?

Figure 34 shows how TLC normalizes a log message. The following TLC components play a role in the normalization process.

The Parsing Utility parses each field/value pair in a log message.

A Clean-Up Utility standardizes the format of each field/value pair. TLC includes one Clean-Up Utility for Normalized Messages to be stored as Events in IDS Databases, and another Clean-Up Utility for all other Output Destinations.

A Normalized-Message Filter prevents TLC from forwarding some log messages to a specified Output Destination(s). If a message matches the condition(s) specified by an enabled Normalized-Message Filter, and the message originated with a Monitored Asset that has an Output Destination specified by the filter, TLC will not forward the message to the Output Destination. For example, consider a Monitored Asset that has the default Event Database as an Output Destination, and a Normalized-Message Filter that specifies the database and the Asset's IP address in a condition. If TLC normalizes a message from the Asset, the filter will prevent TLC from saving the Normalized Message in the default Event Database.

The steps below describe the decision-making process involved in the normalization of log messages (outlined in red in Figure 34). For more information about related TLC features, see Log-Message Normalization & Classification.

Figure 34.  Normalizing a log message (click to enlarge)

Normalizing a log message

Does TLC have a Normalization Rule for the log message?

Yes = If the Configuration Manager contains an enabled Normalization Rule for the type of Log Source that generated the log message, the Parsing Utility parses the field/value pairs.

No = Otherwise, the Normalization Engine ignores the message.

Notes 

If the Configuration Manager does not contain an enabled Normalization Rule for the Log Source, and the Log 'Not Logged Events' to File setting is enabled in the Logging tab of the Primary Manager's properties dialog, TLC will save the log message in the following file:

<TLC_Manager_install_dir>/logs/<ip_address>-notlogged.log

Where <TLC_Manager_install_dir> is the installation directory for TLC Manager, and <ip_address> is the IP address of the Log Source.

If the WinLog Collector is assigned to a Normalization Rule, the filter criteria in the rule's Windows Event Filter tab determine if the Parsing Utility parses a Common Event Format (CEF) log message. If a CEF log message does not match the filter criteria, TLC ignores the log message. For more information about this tab, see Table 87.

Output = IDS, ED, and/or CE?

TLC sends the message to the appropriate Clean-Up Utility for the Monitored Asset's Output Destination(s). The Clean-Up Utility then standardizes the field/value pairs in the message.

Output = ED and/or CE?

CE = If a Correlation Engine is an Output Destination for the Monitored Asset, TLC forwards the Normalized Message to the Correlation Engine (see How does Event Correlation work?).

ED = If an Event Database is an Output Destination, TLC applies all enabled Normalized-Message Filters to the message.

Does the Normalized Message match Norm. Message Filter?

Yes = If the Normalized Message matches one of the Normalized-Message Filters, TLC ignores the message.

No = Otherwise, TLC saves the message as an Event in the specified IDS Database or Event Database.

Note 

If an enabled Email Action is assigned in the Alert Options tab of the Normalization Rule’s properties dialog (see Working with Normalization Rules), TLC also sends an email notification to the specified recipients. For more information about Actions, see What are Actions?.