Message Processing

Administrator permissions are required to access this feature.

Axon uses message processing policies within log source types to determine how to classify and process log message data. Log source types are defined by the particular data schema used in the log messages they generate. Defining log source types allows Axon quickly translate the log data into usable information for an analyst. Identification policies classify a log message into the appropriate log source type. Normalization policies separate the data from the log message into assigned fields within the Axon Data Schema. For more information, see the Axon Data Schema Guide.

View Log Source Types

1. In the lower-left corner of the main screen, click the Administration cog.
   The Administration menu appears on the left side.

2. Under Integrations, click Message Processing.
   The Log Source Types list appears.
   By default, the list of log source types appears in alphabetical order. The table shows the following information for each log source type:

   Column	Description
   Log Source Type Name	The name of the log source type. Each log source type must have a unique name within your environment.
   Version	The version changes when a user modifies the log source type and publishes the changes.
   Author	The author of the log source type.
   Collector Type	The collector type associated with the log source type.
   Status	The status of the log source type (Draft or Published). Published status indicates Axon is using the version to process messages. Draft status indicates the modifications are not being used to process messages.
   Created By	If available, the name of the user who created the log source type is shown.
   Last Modified	The date and time when the log source type was last modified.

   

   For information on filtering columns in the table, see Filters.

Import and Export Log Source Types

Log source types can be imported and exported from Axon through the Message Processing page. This can allow users to share configured policies for their log source types with other users to simplify the policy setup process.

Import Log Source Types

If you have an exported log source type saved as an .lre file (LogRhythm Export), you can import into Axon by performing the following steps:

1. In the lower-left corner of the main screen, click the Administration cog.
   The Administration menu appears on the left side.

2. Under Integrations, click Message Processing.
   The Log Source Types list appears.

3. In the top-right corner, click Actions, and then click Import.
   The Import Log Source Type window appears.
4. Either click Browse Files and locate the .lre file on your machine, or drag and drop the file into the window as indicated.

5. Click Import Draft.
   If a log source type by the name of your import already exists, the policies for that log source type will be updated.
   If the imported log source type is new, it will be created with the imported policy in place.

   

   Log source types are not checked for functional policies upon import. Please ensure that your policies have been tested for errors or conflicts before importing.

Export Log Source Types

In order to share log source types with other users, you can export them from your Axon UI to an .lre (LogRhythm Export) file. Export log source type policies using the following steps:

1. In the lower-left corner of the main screen, click the Administration cog.
   The Administration menu appears on the left side.

2. Under Integrations, click Message Processing.
   The Log Source Types list appears.

3. Open the vertical three-dot menu to the left of the log source type whose policies you wish to export.
4. Click Export.
   The Export Log Source Type window appears.
5. Check each policy that you would like to be included in the export file.

6. Click Export.
   The log source type and its selected policies are saved to the machine as an .lre file.

   

   When log source types are imported by Axon, they are not checked for functional policies. Please ensure that your policies have been tested for errors or conflicts before importing or sharing.

   

   Log source types can also be exported from the Log Source Type Profile Page.

Available Actions on the Message Processing Page

What do you want to do?	How do you do it?
View details and processing policies for a log source type.	In the Log Source Type Name column, click the log source type name.
Create a new log source type. For more information on adding a new collector, see Create a Log Source Type.	In the upper right corner, click Actions, and then Create a Log Source Type.
Import a log source type. For more information on importing a log source type, see Import and Export Log Source Types above.	In the upper right corner, click Actions, and then Import.
Export a log source type. For more information on importing a log source type, see Import and Export Log Source Types above.	Click the three-dot menu to the left of a log source type, and then click Export.