Normalization policy combines Normalization Packages and Compiled Normalizers to translate raw log messages into Logpoint taxonomy. We recommend creating the same normalization policy for different types of normalization packages to ensure consistency and efficiency. For example, you can create one normalization policy for a server running MS Windows 2008 and MS-SQL 2005 by adding Windows 2008 and MS-SQL 2005 normalization packages.
Logpoint provides a default normalization policy, _default_syslog, which normalizes the unregistered logs from any syslog source. To edit the normalization policy, click the name and update the information.
Normalization Policies¶
Compiled normalizers contain predefined rules used to normalize logs. When creating a normalization policy, you can select compiled normalizers as well as the regex-based normalization packages. If a normalization policy contains both types of normalizers, Logpoint first uses the compiled normalizers to normalize an incoming log and use regex-based normalizers if the compiled normalizers fail to normalize it. The normalization packages are prioritized by the order you enter when creating the normalization policy. The compiled normalizers are available as plugins.
Create Normalization Policy¶
For the normalization policy in the example above, Logpoint first tries to normalize an incoming log using the CEFCompiledNormalizer. If the normalization fails, it tries to get it normalized using the PaloAltoCompiledNormalizer and then the ZscalerCompiledNormalizer. If the normalization is still not successful, Logpoint uses the LP_WebServer Common Log Format and then the LP_Sonicwall Firewall.
Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
Click ADD.
Enter a Policy Name.
Select the Normalization Packages and Compiled Normalizers to use in the policy.
4.1. Double-click the packages.
4.2. Drag and drop the packages from left to right.
4.3. Select a package and click the swap (>) button.
Click View Signatures to view all the signatures in the selected packages.
Create Normalization Policy¶
Click Submit.
Click the ? symbol near the top-right corner for context-sensitive help.
You cannot edit the name of a normalization policy.
Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
Click the Name of the required normalization policy and update the information.
Click Submit.
Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
Click the Delete icon under Actions.
To delete multiple normalization policies, select the policies. Click MORE and choose Delete Selected.
To delete all the normalization policies, click MORE and choose Delete All.
Deleting Normalization Policies¶
Click Yes.