Classify operations begin with a <Classify> property. The <Classify> property refines an <EventClass>.
This property has the following format:
<EventClass name=> <Classify> <Field input= pattern= output= outval= /> </Classify> </EventClass>
Defines the name of the event class that you are using to create the connector policy.
Defines the value of the event property used for the classification.
Defines the regular expression value that the input value must match for an event to be matched.
Defines the assigned value for the outval attribute. Normally, the output is the eventtype.
Defines the value assigned to the output. This is usually a more specific eventtype value.
Example: Classify Windows Event Log events into specific subgroups
The following example separates events received from the Windows Event Log event source that match the specified patterns into two subgroups: SYSLOG-SEC and SYSLOG-APP.
<EventClass name="SYSLOG"> <Classify> <Field input="msg" pattern="^Sec.*$" output="eventtype" outval=SYSLOG-SEC" /> <Field input="msg" pattern="^App.*$" output="eventtype" outval=SYSLOG-APP" /> </Classify> </EventClass>
The <Classify> property searches the message text (defined by the "msg" attribute) of events received from the Windows Event Log for words or strings beginning with Sec or App and classifies events that qualify into the more specific SYSLOG-SEC and SYSLOG-APP eventtypes. This property creates new Windows Event Log subgroups for events received from the application and security logs.
|
Copyright © 2013 CA.
All rights reserved.
|
|