Normalization of input data

The first step in BMC Defender Server processing is normalization of input data. The Messages navigation tab of BMC Defender Server and its functions form about half of the entire system functionality.

One of the important things about BMC Defender Server is that this data normalization process can be trivial, or completely optional. The semantic correlation algorithms do not require normalized data. If you implement Input data normalization, it basically consists of configuring optional filters and overrides that can be used to slightly pre-process the incoming data and perhaps make correlation setup slightly easier.

When messages are received, they are first filtered and then passed through address, facility, and severity overrides.

• Filters—You can configure filters in the Messages > Config > Filters screen of the system. Each filter consists of a simple keyword or wildcard combination, without spaces. If an incoming message matches any filter, it is removed from the system (and placed in the special Filter screen for further reference).

• Address Overrides—After passing all the filters, the address override component next processes the message. This component is similar to the filters, rather than filtering the message. Instead, the address of the message is modified depending on a simple keyword or wildcard combination. This might use handling environments that implement Network Address Translation (NAT).
• Facility Overrides—After passing through the address override component, the facility override component next processes the message. The facility code of the system can modify depending on a simple keyword or wildcard combination. This might use correlating messages by the facility. (In particular, you can define new and non-standard facilities as discussed in the next section.)

• Severity Overrides—After passing through the facility override component, the severity override component next processes the message. The severity code of the system can be modified depending upon a simple keyword or wildcard combination. This might use correlating messages by severity.

Keywords, used when filtering and overriding data, do not permit any of the correlation expressions defined in this section. (This is clearly identified on the filter and override screens.) The only expression permitted is a simple keyword match with possible wildcards. This is necessary in order to keep the extremely high throughput of the system (that approaches or exceeds 1000 messages per second).