JSON Policy Builder
The JSON Policy Builder helps users easily map JSON values to the LogRhythm schema and export the policy file to use on the System Monitor Agent.
Import Sample Messages
Before mapping JSON values, add the log messages that you would like to use as samples. Samples can be added by copying and pasting a single log, multiple logs, or by importing a file.
Hover over the status bar in the upper right to view the number of logs queued and processed.
Single Log Import
In the Sample Messages section, click the Single Log tab.
Paste in your sample log.
Click + to add the log to the processing queue.
Multiple Log Import
In the Sample Messages section, click the Multiple Logs tab.
Paste in your sample logs.
Each log should follow standard JSON formatting and be wrapped in curly brackets.
Click + to add the logs to the processing queue.
File Import
In the Sample Messages section, click the File Import tab.
Drag and drop a file into the window. Alternatively, clicking anywhere in the text box will allow you to navigate to the desired file.
Each log should follow standard JSON formatting and be wrapped in curly brackets.
Click + to add the logs to the processing queue.
Select if the logs should be processed as a single log, an array of logs, or a set of logs.
Map JSON Values to the LogRhythm Schema
To map a new field or modify an existing one:
Expand the JSON Mapping section.
Review the fields and data structure of the incoming logs and their respective frequencies. Hover over the frequency graph to get full details.
For each field of interest, select the appropriate LogRhythm SIEM field from the Mapping drop-list.
Export JSON Policy to System Monitor Agent
To export the policy to the System Monitor Agent:
Click Export SMA Policy.
A file download will start.(Optional) Rename the file if desired.
Place the file on the System Monitor Agent in the custompolicies folder:
C:\Program Files\LogRhythm\LogRhythm System Monitor\policies\custompolicies
To enable your new JSON policy, you must restart the System Monitor Service. For more information, see Custom Policy Folder.
Settings
The Settings menu is located at the top-right of the window and includes the following options and preferences:
Option | Description |
|---|---|
Accept and Wrap non-JSON logs | Enabling this option wraps any JSON data that is incorrectly formatted into a fake JSON field. With this option enabled, the SIEM will not process these incorrectly formatted logs. This option is best used to bypass the JSON format verification and view non-JSON data in log data. |
Extract Beat's '.message' only | Enabling this option is sometimes necessary for Beats that wrap non-JSON data in a .message JSON entry. For example, the jsBeat and the FileBeat. This option needs to be enabled before processing sample logs in this format. |
Background Process Max (messages/second) | Move the slider from left (slower) to right (faster) to determine how quickly logs are processed when added to the queue. |
Max Messages in Queue | Move the slider from left (fewer) to right (more) to determine the number of incoming messages to be accepted and queued for processing. When the set number of logs has already been reached, additional logs added to the queue will be ignored. |
Max Messages in Processed Logs (third slider) | Move the slider from left (fewer) to right (more) to determine how many messages from the incoming queue will be processed. When the set number of logs has been processed, the background process automatically stops. Any logs still in the queue when the set number has been reached are left unprocessed. |
Display | Toggle between Day and Night mode. |
Language | Select the preferred user language. |