Apply LogRhythm Default v2.0 on a Log Source
Log sources in the LSO program contain two sets of MPE rules, but only one set of rules can be applied at a time. The "LogRhythm Default" log processing policy includes a default configuration with legacy parsing and MPE rules. The "LogRhythm Default v2.0" policy includes a new set of parsers and MPE rules compatible with LSO. This section provides steps to configure a log source type with the new LogRhythm Default v2.0 log processing policy.
Configuring log source types to utilize LogRhythm Default v2.0 requires two steps: Verifying the LogRhythm Default v2.0 policy in the LogRhythm Knowledge Base (KB) and changing the log processing policy in the System Monitor Agent configuration.
Verify LogRhythm Default v2.0 in the Knowledge Base
- Log in to the LogRhythm Client Console with Administrator rights.
- Click Deployment Manager.
- Click the Log Processing Policies tab.
- Under the Log Source Type column, search in the grid for the log source type you want—for example, MS Windows Event Logging XML - Security.
Confirm that "LogRhythm Default v2.0" is listed in the Policy Name column.
If you do not see the LogRhythm Default v2.0 policy, ensure that you are on KB 7.1.591.0 or above and have the correct synchronization settings. For more information, see KB Synchronization Settings for LSO.
Change the Log Processing Policy in the System Monitor Agent Configuration
- In the Deployment Manager, click the Log Sources tab.
- In the filter, search for the log source type(s) you want to change, and then select the Action check box for each one.
- Right-click the grid, click Actions, and then click Edit Properties.
The Log Message Source Properties window appears. - Click the Browse button to the right of the Log Message Source Type field.
The Log Source Type Selector dialog box appears. In the Text Filter, search for the appropriate log source type, and then click Apply.
For a list of all currently optimized Log Source Types, refer to the Log Source Optimization topic. Each log source in the table of contents with (Mapping Doc) in the title is optimized.
- Select the log source type you want, and then click OK.
- Under Log Message Processing Engine (MPE) Policy, select LogRhythm Default v2.0 from the drop-down menu.
Click OK.
The log source type is now configured to apply the LogRhythm Default v2.0 log processing policy and MPE rules.The policy could take up to 20 minutes to apply within your deployment.