Normalization Rules

Monitored Assets

Includes a list of the Monitored Assets in your TLC environment.

To assign a Monitored Asset to the rule, select the Asset's check box and click Apply.

To remove an Asset from the rule, clear the Asset's check box and click Apply.

To open an Asset's properties dialog, double-click the Asset (see Working with Monitored Assets).

Tip: To select and clear check boxes, you can also use the buttons at the top of the tab.

Classification

Includes any Classification Tags applied to the rule. If 1) TLC collects a log message containing a string that matches the rule's Event ID or Quick Match value, 2) one or more Tags are assigned in this tab, and 3) the message satisfies any Classification Conditions defined in this tab, TLC associates the message with these Tags.

For an introduction to Classification, see How does Classification work?.

For guidance in configuring the Classification tab, see Assigning Classification Tags to a Normalization Rule.

References

Disabled.

Rule Details

Defines the .NET regular expression with which the rule normalizes log messages.

Complete regular expression. The regular expression. To define the regular expression, click Rule Creator. For further details, see Defining a Regular Expression for a Normalization Rule.

Description tab. Defines a description to be saved in the properties of Events normalized by the rule. The description may consist of literal strings along with variables for Event-field values (e.g. <Dst IP>). Tripwire recommends entering a description that summarizes the nature of the log messages. Throughout the TLC Console, this value is indicated by the 'Event Name' label. For example, in the Decision Settings tab of a Correlation Rule (see Table 96), you can define a condition for a Decision that references the value entered here.

Replace tab. See Working with Find-and-Replace Values in Regular Expressions.

Settings

General settings for the Normalization Rule.

Enabled. Enables/disables the rule.

Rule ID. A unique ID for the rule. The IDs of user-defined rules range from 1-999, and Tripwire-defined rules range from 1,000-99,999,999.

Revision. The revision number for the rule. If you change the Rule Details tab and save the rule, TLC increments the revision number by one.

Group. The Normalization-Rule Group to which the rule is currently assigned.

Legacy Classification. A category for the type of log messages to be normalized by the rule.

Monitored Asset type. The type of Monitored Asset to which the rule normalizes log messages.

Monitored Asset Output Destination. The type of Output Destination to which TLC will forward each Normalized Message created by the rule. Options include:

Audit Logger. If the Audit Logger is assigned as an Output Destination in the properties of the associated Monitored Asset and/or Asset Group, TLC forwards the Normalized Message to the Audit Logger. If the Correlation Engine or an Event-Management Database is assigned as an Output Destination, the Normalized Message will not be forwarded to the Output Destination.

Note:  If the Save log messages for all Monitored Assets setting is enabled in the Audit Logger tab of your Manager's properties dialog (see Table 41), TLC will automatically save all log messages generated by your Monitored Assets in the Audit Logger. If the Save log messages from unknown hosts setting is enabled in the Audit Logger tab, TLC will also save log messages generated by any Log Sources for which TLC lacks a Monitored Asset.

Event Framework. If an Event Database, the Correlation Engine, or Audit Logger is assigned as an Output Destination in the properties of the associated Monitored Asset and/or Asset Group, TLC forwards the Normalized Message to the Output Destination. If an IDS Database or Firewall Database is assigned as an Output Destination, the Normalized Message will only be forwarded if the message contains values for all fields required by TLC for the type of database.

Note: To determine which fields are required by TLC for each type of Event-Management Database, contact Tripwire Support.

IDS. If an IDS Database, an Event Database, the Correlation Engine, or Audit Logger is assigned as an Output Destination in the properties of the associated Monitored Asset and/or Asset Group, TLC forwards the Normalized Message to the Output Destination. If a Firewall Database is assigned as an Output Destination, the Normalized Message will only be forwarded if the message contains values for all fields required by TLC for a Firewall Database.

Firewall. If a Firewall Database, an Event Database, the Correlation Engine, or Audit Logger is assigned as an Output Destination in the properties of the associated Monitored Asset and/or Asset Group, TLC forwards the Normalized Message to the Output Destination. If an IDS Database is assigned as an Output Destination, the Normalized Message will only be forwarded if the message contains values for all fields required by TLC for an IDS Database.

Output Destinations are specified in the properties of Monitored Assets (see Working with Monitored Assets). 

Collector type. The type of Collector for which the rule normalizes log messages.

Response. Specifies a response to be taken by TLC when the rule creates a Normalized Message.

Forward Normalized Messages to Output Destinations. TLC forwards the message to the Output Destinations specified by the Monitored Asset (see Working with Monitored Assets).

Run any Email Actions assigned to the rule. TLC only runs any Email Actions in the Alert Options tab.

Drop Normalized Messages. TLC drops any Normalized Messages created by the rule (i.e. TLC does not run any Actions or save the message as an Event in an Event-Management Database).

Silently drop Normalized Messages. TLC silently drops any Normalized Messages created by the rule.

Rule priority. This is the default priority for the rule. If TLC normalizes a log message with this rule and others, this value determines the order in which TLC runs the rules. Rules with lower values will be run first.

Windows Event Filter

Note: This tab is only available if the WinLog Collector is selected in the Collector Type field of the Settings tab. This tab's settings only apply to log messages (a.k.a., event logs) generated by Windows Event Logs in the Common Event Format (CEF).

The fields in this tab determine if TLC will normalize a log message (i.e., event log) with the .NET regular expression defined in the Rule Details tab. If a log message matches the specified values, TLC normalizes the message.

The following list 1) defines each field, and 2) indicates the format in which the field's value is presented in the content of a Windows event log.

Event ID. The Event ID assigned to an event log: 

eventid=<id>

Tips: If a Classification Condition is not defined in the Classification tab, then you must enter a value in the Event ID field.

The text fields in this tab support the following operators: 

! acts as a Not operator when inserted prior to the entered value.

| acts as an Or operator. For example, in the Event ID field, this entry specifies 554 or 558: 

554|558

Event content. (Optional) The content of a log-event message: 

msg=<content>

Username. (Optional) The username of the Windows user account responsible for the event that generated an event log: 

username=<username>

Source. (Optional) The system from which an event log is collected: 

dhost=<source>

Category Name. (Optional) The category of the Event ID: 

category=<category>

Category Number. (Optional) A unique identifier for the Category Name: 

cid=<category_number>

Event type. Select each type of event log to be normalized by the rule. In an event log, the Event Type(s) appears within two pipe characters; for example: 

|Audit Success|

Event logs to normalize. Select each Windows Event Log for which the rule will normalize log messages. In an event log, the source Windows Event Log is specified by: 

logname=<logname>