This section contains the following topics:
About the Event Refinement Library
Supporting New Event Sources with the Event Refinement Library
The event refinement library provides you with tools to create new parsing and mapping files, or to modify copies of existing ones to provide support for new devices, applications, and so forth. The library includes the following options:
Suppression rules prevent data from being collected, or prevent it from being inserted into the event log store. Summarization rules allow you to aggregate events to reduce the number of inserts for similar event types or actions. This is the most frequently used part of the library since suppression and summarization rules can help to tune both network and database performance.
You can use the integrations area to view predefined integrations and to create new integrations for your custom or proprietary devices, applications, files, or databases.
To support a device, application, database, or other event source that is not already supported, use the mapping and parsing file wizards and the integrations wizard to create the necessary components.
The process involves the following general steps:
Integrations, parsing and mapping files, and suppression and summarization rules are covered in depth in the CA User Activity Reporting Module Administration Guide and the online help.
During operation, CA User Activity Reporting Module reads incoming events and breaks them up into sections in an action called parsing. There are separate message parsing files for different devices, operating systems, applications, and databases. After the incoming events are parsed into name-value pairs, that data goes through a mapping module that places the event data into the fields in the database.
The mapping module uses data mapping files that are built for specific event sources similar to the message parsing files. The database schema is the common event grammar that is one of the central features of CA User Activity Reporting Module.
Parsing and mapping together are the means by which data is normalized and stored in a common database regardless of event type or message format.
The integration wizard and some of the CA Technologies Adapter modules require you to configure the mapping and parsing files that best describe the kinds of event data for which a connector or an adapter listens. In the configuration panels where these controls appear, the order of the message parsing files should reflect the relative number of events received of that type. The order of the data mapping files should also reflect the quantity of events received from a given source.
For example, if the syslog listener module for a specific CA User Activity Reporting Module server receives mostly Cisco PIX Firewall events, you should put the CiscoPIXFW.XMPS and CiscoPIXFW.DMS files first in each respective list.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|