Summarization rules control how native events are displayed in the refined event. You configure a summarization display by selecting Summarized by fields and Aggregated fields.
To configure a summarization rule display
Controls the field or fields by which the summarized information is grouped. For example, in the case of a rule summarizing failed logins, select source_username to display the number of qualified failed login events for each unique user. You must select one or more Summarized By fields to complete the rule.
Controls the field or fields by which the summarized information is subdivided, depending on the Summarized By field. For example, in the case of a rule summarizing failed logins, select source_username as a Summarized By field, and dest_hostname as an Aggregated field. This displays the number of qualified failed login events for each unique user, subdivided by the host that the user attempted to log into.
The aggregated fields' information is retained in the summarized events' raw event field. In the preceding example each unique host on which the user attempted the log on will be stored along with the number of occurrences, in the following format: hostname1:2,hostname2:5. This example shows 2 logon attempts from host 1 and 5 attempts from host 2.
Aggregated fields are optional - you do not have to select an Aggregated field to complete the rule.
If you click Save and Close, the new rule appears in the list, otherwise the step you choose appears.
When you create a new rule, it is saved as version 1.0. If you later edit the rule, a separate copy of the rule is stored as a new version. You can view earlier versions, and apply or copy them as needed.
|
Copyright © 2013 CA.
All rights reserved.
|
|