Configuration Manager. A Normalized-Message Filter prevents TLC from forwarding some log messages to a specified Output Destination(s). If a message matches all condition(s) specified by an enabled Normalized-Message Filter, and the message originated with a Monitored Asset that has an Output Destination specified by the filter (see Changing the Output Destinations for a Monitored Asset), TLC will not forward the message to the Output Destination. For example, consider a Monitored Asset that has the default Event Database as an Output Destination, and a Normalized-Message Filter that specifies the database and the Asset's IP address in a condition. If TLC normalizes a message from the Asset, the filter will prevent TLC from saving the Normalized Message in the default Event Database. For more information about the normalization process, see How does Log-Message Normalization work?.
To create, change, or delete a Normalized-Message Filter:
| 1. | In the side bar, select Resources >Configuration Manager. |
| 2. | In the side bar of the Configuration Manager, select  Normalization > Normalized-Message Filters. |
TLC presents your Normalized-Message Filters in the workspace table.
|
Tip |
You can sort, group, and filter the contents of tables. For more information, see Working with Tables). |
|---|
| 3. | To create a new Normalized-Message Filter: |
| a. | Click Add Filter. |
| b. | Complete the Normalized-Message Filter tab (see Table 92) and click OK. |
To modify an existing filter:
| a. | In the workspace, double-click the filter. |
| b. | As needed, edit the Normalized-Message Filter tab (see Table 92) and click OK. |
To enable a disabled filter, select the filter in the workspace and click
Enable.
To disable a filter, select the filter and click
Disable.
To delete a filter:
| a. | In the workspace, select the filter. |
| b. | Right-click the filter and select Delete Filter. |
| c. | In the confirmation dialog, click Yes. |
|
Tip |
Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers). |
|---|
|
Field |
Description |
|---|---|
|
Name |
The name of the Normalized-Message Filter. |
|
Enabled |
If selected, TLC will refer to the filter's conditions to determine if Normalized Messages should be forwarded to the Output Destination(s) specified in the Destination Name drop-down. |
|
Description |
(Optional) A description of the filter. |
|
Output Destination |
The first drop-down indicates the Event-Management Database(s) or Correlation Engine(s) to which the filter applies. The second drop-down indicates the type of Events to be filtered; either Events normalized by TLC or Scanner Events. |
|
Filter Criteria tab |
This tab specifies the conditions for the Normalized-Message Filter. Each condition specifies a value for a log-message field. For field descriptions, click here. To add a condition to the filter, click To define a condition: 1. Select the log-message field from the Type drop-down. If you select Event Priority from the Type drop-down, see How do Event-Priority Filters work? for more information. 2. Select an operator from the Condition drop-down. 3. Enter a Value for the condition. This field supports .NET regular expressions. Note: By default, TLC applies an AND operator for the conditions in a filter. In other words, TLC will only filter a log message if the message matches all of the conditions. To define a condition with an OR operator, select Contains or Not Contains from the Condition drop-down, and then enter a .NET regular expression such as "Event Name contains logon|logoff" in the Value field. To change the order of the conditions, use the buttons on the right of the tab. For better performance, Tripwire recommends placing conditions specifying exact matches at the top of the list, with conditions specifying regular expressions at the bottom of the list. To delete a condition: 1. Click the condition. 2. Select the condition by clicking the arrow to the left of the condition. 3. Click |