LSO Overview
When log sources were initially developed for collection in LogRhythm, the number of data fields available to map information for extraction through Message Processing Engine (MPE) rules was limited. Therefore, as new, more complex schema fields were introduced into antivirus engines, web proxies, and other types of log sources, LogRhythm's MPE rules did not always parse these fields accurately or extract data to the same fields consistently, sometimes leading to misrepresentation of the data extracted to logs.
To prevent these classification errors and provide better parsing of log source data, LogRhythm developed the Log Source Optimization (LSO) project. LSO creates new MPE rules to parse log metadata to their correct schema fields, accurately classify even highly complex log source data, and update log processing policy accordingly. These new MPE rules are mapped to the legacy rules using specific metadata fields, classifications, and common event values, including AIE Rules, investigations, tails, and reports.
To make mapping as easy as possible, LogRhythm created the new MPE rules under a current log source type (functionality that already existed for testing custom MPE rules assigned to a built-in log source). These new MPE rules are bundled as a log processing policy called "LogRhythm Default v2.0," available in Knowledge Base (KB) version 7.1.591.0 and above.
The LogRhythm Default v2.0 policy and parsing changes are automatically pushed to your environment once you apply KB 7.1.591.0 or above, but they are not automatically applied to existing log sources. You must manually apply LogRhythm Default v2.0 to log source types MS Windows Event Logging XML - Sysmon and MS Windows Event Logging XML - Security.
Manually applying the LogRhythm Default v2.0 policy allows you to review the parsing updates, classifications, and common events assigned to the log messages, analyze any downstream impacts on LogRhythm components, and make adjustments to the custom analytical contents at your discretion. You also have the option to stay with the current log processing policy (LogRhythm Default) and switch to LogRhythm Default v2.0 at any time.
LogRhythm is developing new MPE rules first for the most problematic legacy log sources (as identified by LogRhythm Support and Engineering teams), and will eventually stop providing enhancements and parsing changes on the legacy MPE rules when the optimized log sources are fully developed.
To utilize the updated MPE rules for LSO, verify that you are on Knowledge Base (KB) version 7.1.591.0 or above and have the correct synchronization settings. For more information, see KB Synchronization Settings for LSO.
After verifying you are on KB version 7.1.591.0 or above, you must then apply the LogRhythm Default v2.0 log processing policy in your deployment. For more information, see Apply LogRhythm Default v2.0 on a Log Source.
For detailed information about updates to parsing MPE rules, log processing settings, and system analytical contents, refer to the updated LSO: Sysmon, LSO: Windows, LSO: Palo Alto Firewall, and LSO: Symantec Endpoint Server mapping documentation.