Working with Event Policies and Actions › Create an Event Policy with a Normalization Action › Normalization Action Examples

Normalization Action Examples

The following examples show how you can use the normalize event action to perform custom mappings of raw event properties to USM alert properties.

Example: Normalize Windows Event Log security events to make them easier to categorize

This example illustrates how to normalize events from the Security log in the Windows Event Log. The default policy for Windows Event Log events does not map vital information to USM alerts such as the following:

• Source event log (Security, System, Application, and so on)
• User
• Category

The normalization action in this example makes this information a part of the resultant alert, and you can organize the normalized alerts into queues.

• Run the following raw event search that is scoped to the MS-Syslog source, and click Map Events:

  syslog_source='Security'
  

• Select Normalize Event, and assign the following mappings on the Normalize Event page:

  Assignee: ${pattern1.syslog_user}

  Maps the Assignee property to the internal Windows user information. This information does not appear in alerts that the default policy normalizes.

  User Attribute 1: ${pattern1.syslog_source}

  Maps the User Attribute 1 property to the Windows Event Log source event log. This information does not appear in alerts that the default policy normalizes. You can use it to assign all security events to a specialized queue.

  User Attribute 2: ${pattern1.syslog_category}

  Maps the User Attribute 2 property to the internal event category. This information does not appear in alerts that the default policy normalizes.

  Use the Service right-click menu to assign the AlertedMdr properties to a managed service so that the normalized event appears on that service CI.

  All other properties obtain their values from the default connector policy.

• Deploy the policy on the Windows Event Log data source.
• (Optional) Create an alert queue named Security. Configure the queue to add alerts when the User Attribute 1 property equals Security to group all alerts from the Security log.

Example: Normalize CA Workload Automation traps to assign variable bindings to USM properties

This example normalizes SNMP traps from CA Workload Automation to include important variable binding information in properties. The properties appear on the Operations Console when the event becomes an alert. Default policy for SNMP sources includes all trap varbind values in one property. Event Management splits variable bindings and their values into separate properties in the Event Store. You can map each varbind to its appropriate USM alert property.

Note: This normalization is similar to the default policy for the SNMP connector, which is written for CA Workload Automation traps as an example.

• Run the following raw event search that is scoped to the Generic SNMP Traps source that the SNMP connector provides. Click Map Events:

  snmp_enterprise="1.3.6.1.4.1.11203"
  

  This search returns traps with an enterprise OID that indicates the traps are from CA Workload Automation.

• Select Normalize Event, and assign the following mappings on the Normalize Event page:

  Mdr Element ID: ${pattern1.snmpagent}:${pattern1.varbind-1.3.6.1.4.1.203.7}:${pattern1.varbind-1.3.6.1.4.1.203.9}

  Maps the MdrElementID property to a combination of the varbinds that indicate the source server, application name, and job name.

  Severity: Use Map Function

  Maps the Severity property to the varbind that indicates the job status. Map the values for varbind-1.3.6.1.4.11203.6 to valid Severity values using the Map function:

  Value column: USM Value column

  • Unknown|Abandon Submission: Unknown
  • Exec: Informational
  • Complete|Monitor|Ready: Normal
  • Inactive: Minor
  • Overdue|Suberror: Major
  • Failed|Premature|Agent Down: Critical

  Note: The Preview cell does not support map values that are derived through regular expressions. If the map value uses a regular expression, the Preview cell displays a message 'Mapping not found by preview'. However, the mapping itself occurs as expected in actual event policy.

  Summary: ${pattern1.varbind-1.3.6.1.4.11203.5}

  Maps the summary property to the trap job status message.

  Message: ${pattern1.varbind-1.3.6.1.4.11203.6} alert on ${pattern1.varbind-1.3.6.1.4.1.203.9} scheduled on ${pattern1.snmp_agent}

  Maps the Message property to the following statement: 'jobstatus alert on jobname that is scheduled on agentserver'.

  User Attribute 1: ${pattern1.varbind-1.3.6.1.4.1.203.7}

  Maps the User Attribute 1 property to the source application name.

  Use the Service right-click menu to assign the AlertedMdr properties to a managed service so that the normalized event appears on that service CI.

  All other properties obtain their values from the default connector policy.

• Deploy the policy on the SNMP connector data source.
• (Optional) Create alert queues that are based on key identifiers such as the job name or the application name to manage the traps most effectively.

Example: Normalize Windows operating system traps

This example normalizes traps that are collected from the Windows operating system and are related to services starting and stopping.

Note: For this example to work, configure Windows to generate traps for Event ID 7036. Use the Windows Event to Trap Translator and send the traps to the SNMP connector system.

• Run the following raw event search that is scoped to the Generic SNMP Traps source that the SNMP connector provides. Click Map Events:

  snmp_specificTrap="1073748860"
  

  This search returns traps that Windows generates for starting and stopping operating system services.

• Select Normalize Event, and assign the following mappings on the Normalize Event page:

  Mdr Element ID: ${pattern1.snmp_SpecificTrap}:${pattern1.varbind-1.3.6.1.4.1.311.1.13.1.9999.6.0}

  Maps the MdrElementID property to the specific trap ID and the affected Windows service.

  Severity: Use Map Function

  Maps the Severity property to the service status. Right-click the cell, select Map, and map the values for varbind-1.3.6.1.4.1.311.1.13.1.9999.7.0 to valid Severity values using the Map function:

  • running: Normal
  • stopped: Critical

  Summary and Message: ${pattern1.varbind-1.3.6.1.4.1.311.1.13.1.9999.1.0}

  Maps the Summary and Message properties to the service message.

  Alert Type: Risk

  Maps the AlertType property to a static value of Risk.

  Occurrence Timestamp and Report Timestamp: fx:xsdateTime()

  Maps the required time-based USM properties to the current time. Find this value by right-click the cell and selecting Functions, fx:xsdateTime-now.

  Use the Service right-click menu to assign the AlertedMdr properties to a managed service so that the normalized event appears on that service CI.

• Deploy the policy on the SNMP connector data source.