1 Liblognorm

1.1 Introduction
1.1.1 Tool to normalize log data
1.1.2 Often same type of device but different vendor will have different format of log
entries. Liblognorm is able to normalize the logs/events into generic ones.
1.1.3 Therefore, a common log analysis application will be able to work on that common
set. Besides, it is also easy to convert a format into any other vendor specific format
so we can use that vendors analysis tool
1.2 System Requirements
1.2.1 Dependencies: libestr, libee, liblognorm
1.2.2 The most critical point is the sample database. All the schemes of log entries is
converted to a parse tree. Processing will slow down if sample database is huge
because it has to try and find out which branch fits to the log message. Therefore,
optimise the sample database to have only samples that are required can increase the
speed of liblognorm performance
1.3 Log files and rulebase