Working with Event Policies and Actions › Create an Event Policy with a Normalization Action › Raw Event Properties in Normalization Actions
Raw Event Properties in Normalization Actions
Running a raw event search returns a large set of properties. In normalization actions, only use the properties that originate from the raw event source. Other properties may exist in the raw event record, including temporary properties created during default normalization, properties resembling the USM alert properties, and others. Assigning any properties other than those from the raw event source breaks the event policy.
Use the following guidelines to help ensure that you are using true raw event properties in normalization mapping:
- True raw event properties often are prefixed by their event source names. For example, raw event properties from the SNMP connector are prefixed by 'snmp_'. The Event connector also follows this convention. For example, raw event properties from the Windows Event Log adaptor are prefixed by 'syslog_'. However, some connectors do not follow this convention.
- Variable bindings from the SNMP connector are split into properties prefixed with 'varbind-' followed by the OID number. These properties are acceptable for normalization mapping.
- Do not map to properties prefixed by 'temp_' or 'internal_'. These are properties creating during event processing, and they do not exist when the normalization action runs.
- Do not map to properties prefixed by 'usm_' or those that have the same name as USM properties. These are not raw properties from the event source.
- If you cannot tell from the search results which properties are true raw event properties, see the default policy file for the connector. The raw event properties appear as inputs.
Copyright © 2013 CA.
All rights reserved.
|
|