Refining and auditing correlation threads

Correlation threads are the first stage of correlation. (Later stages are discussed as follows and within Using BMC Defender Server applications.) The out-of-box correlation threads and any new threads you create should be audited to see if they contain proper data. It is often the case that small changes might be necessary to a thread, or a new thread needs to be derived from an existing thread with small changes applied. The procedure for auditing and refining a thread is as follows:

  1. Log on to the BMC Defender Server system and click the Correlation > Threads tab at the top of the screen. The message counts for each thread appear to the right of the thread counter. (The history count indicates the number of messages received since the thread was configured, whereas the Count value indicates the number of messages received since BMC Defender Server startup. Both counters track each other.)
  2. If any thread has excessive counts, it is a good candidate for refinement and modification. Click the Thread Title hyperlink and inspect the messages being assigned to the thread. If a particular message is not appropriate for the thread or not pertinent, make a note of the message content. Pick a unique word in the message that is not appropriate for the thread title.
  3. Click back to view the main thread display, and click Edit for the thread. This displays the Thread Editor screen.
  4. Modify the Match Expr value for the thread by appending an additional qualifier. This qualifier is typically and not (patt), appended to the end of the match expression. This excludes further messages with the specified keyword from the thread.
  5. Click Save to save the change to the thread. As an alternative, the existing thread can be retained unmodified and a new thread can be created with the change using SaveAs. (If you click SaveAs, you also need to modify the title of the thread before it can be saved. See further notes.)

The threads that come with BMC Defender Server, while useful, are fairly generic. It is often useful to make more specific threads, retaining the existing thread.

Example

You can edit the Admin Login Failures thread, change the title to Main Server Admin Login Failures, and specify the IP address for the main server. Clicking SaveAs creates a new thread that contains the login failures specific to the main server. The original thread continues to operate exactly as before.

If any changes are made to a Thread, you should consider executing the Regenerate Thread to update the thread contents with the new match pattern. (The Regenerate Thread function is described at the end of the previous procedure.)

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*