This guide provides information about LogRhythm's Log Source Optimization (LSO) project, which provides an updated mapping schema for log sources in LogRhythm using new MPE rules. This guide includes instructions on how to enable and disable the new log source policies and MPE rules in your LogRhythm deployment, how to make the log processing policy changes required to reap the benefits of LSO, and detailed information about log field parsing by common event.

LSO currently supports ten log source types:

  • MS Windows Event Logging XML - Sysmon
  • MS Windows Event Logging XML - Security
  • Syslog - Check Point Log Exporter
  • Syslog - Cylance
  • Syslog - FireEye MPS
  • Syslog - Imperva Incapsula CEF
  • Syslog - Palo Alto Firewall
  • Syslog - Symantec Endpoint Server
  • Syslog - Tanium
  • Syslog - Trend Micro Apex One

To implement LSO, you must use one of these log source types and apply the LogRhythm Default v2.0 log processing policy.