cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
duffles
Level 7
Report Inappropriate Content
Message 11 of 14

Re: Modify Data Source Rule Normalization

Thanks appreciate the screenshots. These are the same steps I have followed in the past however there are a few key differences in what it allows me to do:

* The parser applied to the data source is pre-defined standard by McAfee so I can't change it however it allows me to copy it and make changes to the copied ones which I did and disabled the original parser.

* With the old parser disabled and the new parser enabled with the normalization changed it still hit the data source rules relating to the old parser so I disabled those also (as they cannot be deleted, modified or copied)

* With the old data source rules disabled I had hoped the new parser would generate new auto learned data source rules however it unfortunately did not.

Unfortunately as this has taken too long I have had to take another approach which has worked.

I have setup the devices to send their logs in a different format and used a different parser which has generated a bunch of new auto learned data source rules which I can modify the normalization on without issue. This provides the functionality I require so I am going to stick with it. I have to do a little tuning on the parser to get all the fields correct but this is a lot quicker than trying to use the parser "JUNOS_SD Structured-Data Message"

Re: Modify Data Source Rule Normalization

Re: Modify Data Source Rule Normalization

Because you an issue with the data source that why did not succeed to change the normalized ID.

So in order to avoid this problem you did setup the device to send their logs in a different format and used a different parser will give you the ability to modify the normalization without any issue.

Because the procedure that I did give to you is already used so many times to solve the issue unless you have a problem at the data source which is another issue.

rgarrett
Level 9
Report Inappropriate Content
Message 14 of 14

Re: Modify Data Source Rule Normalization

Another option would be to put in a SR.  The ASP would be downloaded with the fix, and you could follow the procedures as you outlined above.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community