Macros as synonym lists

The actual macro value often corresponds to a list of synonyms, conjoined with the AND logical operator. The macro becomes a synonym for a whole list of words. This can be seen in the Correlation > Config > Macros screen, where various default synonym lists exist.

The nature of semantic correlation requires easy representation of synonyms. Because the BMC Defender Server system is matching specific meaning, the idea of synonymy is inescapable. Certain different words mean the exact same thing. This is fully supported by macros, where a certain name can represent a variety of different words with identical meanings. 

Example

You might want to define a macro called @@crit_procs@@ that serves as a list of the critical process names on the system. Such a macro might have a long list of process names. The value might be something such as lsass.exe and svchost.exe and smss.exe and csrss.exe and winmgmt.exe. When you want to refer to any of these processes, you simply specify the @@crit_procs@@ macro. Likewise, to update the list of critical process names, you add a new process name to the list using the macro editor instead of updating the list at each location where macro is used. In this instance, each of the processes is synonymous with the meaning critical processes.

Once the @@crit_procs@@ macro is defined, you can create an expression such as @@crit_procs@@ and @@process_terminated@@ which matches those messages that contain information about a critical process exiting on a system. Likewise, to acquire information about processes that are not critical, the expression is modified to be something such as @@process_terminated@@ and not @@crit_procs@@.

Related topic

Using-correlation-macros

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*