Normalization is the process through which data in the incoming logs are grouped into key-value pairs. You can define different Normalization Policies in LogPoint to determine the normalization mechanism of the data. Each normalization policy is a combination of one or more normalization packages.
Normalization Policies¶
While creating a normalization policy, you can select the Compiled Normalizers as well as the regex-based normalization packages.
If a normalization policy contains both types of normalizers, LogPoint first uses the compiled normalizers to normalize an incoming log. The regex-based normalizers are used only if all of the compiled normalizers fail to normalize it. The normalization packages are prioritized by the order you provide while creating the normalization policy.
Create Normalization Policy Panel¶
For the normalization policy in the example above, LogPoint first tries to normalize an incoming log using the CEFCompiledNormalizer. If the normalization fails, it tries to get it normalized using the PaloAltoCompiledNormalizer and then the ZscalerCompiledNormalizer. If the normalization is still not successful, LogPoint finally uses the LP_WebServer Common Log Format and then the LP_Sonicwall Firewall.
Note
The compiled normalizers are available as plugins.
The normalization policies are used to group normalization signatures as per your device requirement.
For example, if you have an MS Windows 2008 server running MS-SQL 2005, then you can create a normalization policy consisting of the normalization packages for Windows 2008 and MS-SQL 2005 and apply this policy to the server.
You can create normalization policies by combining various normalization packages and compiled normalizers as per your requirement.
It is recommended that you create different normalization policies for similar types of normalization packages.
Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
Adding a Normalization Policy¶
Click Add.
Create Normalization Policy Panel¶
Provide a Policy Name.
Select the available Normalization Packages and Compiled Normalizers that you want to use in the policy. You can do this by:
Double-clicking the packages.
Dragging and dropping the packages from the left pane to the right.
Selecting a package and clicking the > button.
You can click the View Signatures button at the bottom-left corner of the panel to view all the signatures in the selected packages.
Click Submit.
Note
Click the ? icon near the top-right corner to get help on the inputs.
Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
Click the Name of the required normalization policy.
Normalization Policies¶
Update the information.
Click Submit.
Note
You cannot edit the name of a normalization policy.
Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
Click the Delete icon under the Actions column of the policy.
Normalization Policies¶
To delete multiple normalization policies, select the policies. Click the More drop-down menu and choose Delete Selected.
Normalization Policies¶
To delete all the normalization policies, click the More drop-down menu and choose Delete All.
Normalization Policies¶
A delete confirmation dialog box appears on the screen. Click Yes to proceed.