About normalizing rules

Normalizing rules are used for transforming events. Normalizing rules are defined in the NormalizingRules element nested in the InputSettings > RegExps > Source elements of the Feed Service configuration file.

There are two types of normalizing rules:

• Replacing rules

  Rules for replacing one character sequence with another. They are specified in the NormalizingRules/Replace elements. The character sequence to replace is specified in the input attribute of the NormalizingRules/Replace element. The character sequence to insert is specified in the output attribute of the element. The asterisk (*) and question mark (?) are not treated as wildcard characters.

  Several NormalizingRules/Replace elements specify several rules for replacing character sequences.

  Setting in the configuration file: <NormalizingRules><Replace input = "\=" output = "="/></NormalizingRules> Input data: test event data url\=http://example.com dst\=12.32.124.44 Modified data: test event data url=http://example.com dst=12.32.124.44

• Ignoring rules

  Rules for ignoring events that contain a character sequence. They are specified in the NormalizingRules/Ignore elements of the Feed Service configuration file. The character sequence to identify events to be ignored is specified in the input attribute of the NormalizingRules/Ignore element. The asterisk (*) and question mark (?) are not treated as wildcard characters.

  Several NormalizingRules/Ignore elements specify several rules for ignoring events.

  Setting in the configuration file: <NormalizingRules><Ignore input="Kaspersky Lab for ArcSight" /></NormalizingRules> Example event to be ignored: Kaspersky Lab for ArcSight | test event data url\=http://example.com dst\=12.32.124.44

Note that if the replacing rules and ignoring rules are set, replacing rules are applied first, and ignoring rules are applied next.

Adding regular expressions

Regular expressions can be added to the NormalizingRules/Ignore elements.

Adding regular expressions to the NormalizingRules/Ignore elements in the configuration file: <NormalizingRules> <Replace input="(&lt;\d+&gt;)" output="\n" /> </NormalizingRules>

If the input character sequence is in the format test_event_1 ip=1.2.3.4<123>test_event_2 ip=2.3.4.5, the modified sequence will be in two parts:

test_event_1 ip=1.2.3.4 test_event_2 ip=2.3.4.5

For more information about regular expressions, see section "About regular expressions".

Page top