Knowledge Base Synchronization Settings can affect the status of AI Engine Rules after a Knowledge Base synchronization. Before syncing the Knowledge Base, review your settings on the Synchronize Additional System Properties tab in the AI Engine Rule Properties section and verify that the Enable Advanced Synchronization Settings check box is unchecked. For a detailed explanation of these settings, see AI Engine Rule Properties.

Knowledge Base Automatic Synchronization Settings allow you to set the Synchronization Mode, Schedule, and Synchronize Additional System Properties. These settings are accessed via the Automatic Synchronization Settings button.

  1. Set Synchronization Mode.
    1. On the Synchronization Mode tab, determine the Knowledge Base Automatic Synchronization Mode settings.
    2. Select the Enable Automatic Knowledge Base Download check box. When enabled, you can choose to enable the Knowledge Base Core synchronization, enable Knowledge Base Module synchronization, or stop synchronization when Common Event migrations are detected.
  2. Set Schedule. On the Schedule tab, set the schedule to check for Knowledge Base updates. Set the frequency (in days), time, and start date.
  3. Set Proxy Settings. On the Proxy Settings tab, set the following items:
    • Proxy Server Address. You must use the format http://<address> (for example, http://123.4.5.6/).
    • Proxy Server Port. If necessary, select the Proxy Server Requires Authentication check box and then provide the appropriate credentials.
  4. Set Synchronize Additional System Properties. When you have made customizations to filter criteria for System Reports, Investigations, or Tails, you must verify that the Advanced Settings are configured so as not to overwrite your customizations during import.

    If you are not familiar with the customizations that have been made to your deployment, obtain this knowledge and/or contact LogRhythm Support for assistance.
    Synchronize Additional System PropertiesDescription
    Log Processing Properties

    Common Events (Recommended)

    Synchronize all customizable Common Event properties; Classification, Risk Rating, and Description.
    Log Processing PoliciesSynchronize all system log processing policies, replacing any customized log and event management settings.
    Port and Protocol Application and Mappings (Recommended)Synchronize all system port and protocol application mappings. Custom mappings that conflict with system mappings will be replaced. Custom mappings that do not conflict with system mappings will be retained.
    Report Properties

    Log Source List Criteria

    Synchronize the Log Source Criteria for all system reports that use Log Source Lists.
    Filter CriteriaSynchronize the Filter Criteria for all system reports.
    Investigation Properties
    Log Source List CriteriaSynchronize the Log Source Criteria for all system Investigations that use Log Source Lists.
    Filter CriteriaSynchronize the Filter Criteria for all system Investigations.
    Tail Properties

    Log Source List Criteria

    Synchronize the Log Source Criteria for all system Tails that use Log Source Lists.
    Filter CriteriaSynchronize the Filter Criteria for all system Tails.

    AI Engine Rule Properties

    For a detailed explanation of these settings, see AI Engine Rule Properties.

    Log Source List CriteriaSynchronize the Log Source Criteria for all system AI Engine Rules that use Log Source Lists. The check box is unchecked by default (recommended setting).
    Enable Advanced Synchronization SettingsSynchronize user editable rule evaluation settings for all system AI Engine Rules. This includes all Rule Block Time Limit settings, Unique Value Rule Block occurrences, and Threshold Rule Block values. The check box is unchecked by default (recommended setting).
    Only Sync Additional Properties for Disabled RulesOnly synchronize advanced settings when the AI Engine Rule is disabled.
    Disable Dynamic Sync Settings UniversallyManage all dynamic sync rules manually instead of allowing LogRhythm to update them for you as the module content changes. Manual settings persist after Knowledge Base synchronization. Deselecting this setting does not change settings on existing modules. This feature is turned on by default, but most modules are not configured for Dynamic Sync. Modules that are configured to allow Dynamic Sync are determined by LogRhythm. 
    Alarm Rule Properties
    Log Source List CriteriaSynchronize the Log Source Criteria for all system Alarm Rules that use Log Source Lists.
    Primary Criteria and Filter CriteriaSynchronize the Primary Criteria, Include Filters and Exclude Filters for all Alarm Rules with System: Global Admin permission.
    Global Log Processing Rule Properties
    Log Source List CriteriaSynchronize the Log Source Criteria for all system GLPRs that use Log Source Lists.

AI Engine Rule Properties

Log Source List Criteria

By default, the List Source List Criteria check box is unchecked. The following table explains the synchronization behavior for each check box option.

Check BoxBehavior
Unchecked (default)

The Log Sources and Log Source Lists are not synchronized from the Knowledge Base (wherever Log Source List and Log Source is used) and keep the current values.

This is the recommended setting.
CheckedThe Log Sources and Log Source Lists are synchronized from the Knowledge Base into the rules filter.

Enable Advanced Synchronization Settings

The Enable Advanced Synchronization Settings check box controls an AI Engine Rule's advanced settings on the Settings tab in the AI Engine Rule Wizard, including:

  • Expiration Date
  • Rule Group
  • Permissions
  • Run Time Priority
  • Rule Set ID
  • Suppression Seconds
  • False Positive Probability
  • Data Segregation Mode
  • Enable Event Forwarding


By default, the Enable Advanced Synchronization Settings check box is unchecked. Also by default, the Only sync additional properties for disabled setting is grayed out and not applied. The following table explains the synchronization behavior for the available check box combinations.

Enable Advanced Synchronization SettingsOnly sync additional properties for disabledBehavior
Unchecked (default)Grayed out (default)

All user advanced settings for system rules are preserved.

This is the recommended setting.
CheckedCheckedOnly disabled system rules are updated to match the advanced settings for those rules in the Knowledge Base. Enabled system rules are not updated and retain their advanced settings.
CheckedUnchecked

All system rules are updated to match the advanced settings in the Knowledge Base.

This setting is not recommended on an active deployment because the Rule Set ID will be reset to the default value of 0. This can cause rules to be unassigned from an AI Engine, which causes rules to be disabled.

Use this setting only if you want to intentionally reset all rules to match the Knowledge Base.