If you are not familiar with the customizations that have been made to your deployment, you should not proceed with the import until such knowledge is acquired, or you should contact LogRhythm Support for assistance.

Import Phase 1: Automatically Download or Select the Knowledge Base File

  1. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.

    The Deployment Manager must be closed to access the Knowledge Base Manager.


    The Knowledge Base Manager appears.

  2. Do one of the following:
    • If you want to automatically download the Knowledge Base, click Check for Knowledge Base Updates and then click Synchronize Stored Knowledge Base, if necessary.
    • If you manually downloaded the Knowledge Base file:
      1. From the Knowledge Base Manager, click File, then click Import Knowledge Base File.
      2. Select the Knowledge Base File, and then click OK.
        The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The file is checked for compatibility with your current deployment and is prepared for import. This may take several minutes. Upon completion, the Unpack Progress: Knowledge Base unpacked message appears.
  3. To import the Knowledge Base, click Next.
    Upon completion, the Import Progress Import Completed message appears.
  4. Click OK.
    The Knowledge Base Updated message appears.
  5. Click OK.
  6. On the Knowledge Base Import Wizard, click Close.

Import Phase 2: Enable Knowledge Base Modules and Synchronize

  1. Select the Action check boxes next to the modules you want.
    The Enable Selected Modules message box appears.
  2. Right-click the module you want, click Actions, and then click Enable Module.
  3. If you want Reports, Report Packages, Tails, and Investigations to have their log data indexed, select the Enable Intelligent Indexing on Module Objects check box. For more information, see Use Intelligent Indexing.
  4. To start the synchronization, click OK.
  5. When complete, click Close to complete the process.

Import Phase 3: Migrate Common Event Changes

When importing a Knowledge Base with Common Event changes, you are given the opportunity to preview any objects that are affected by the Common Event changes and that require Common Event migration work. These changes can impact the behavior of existing Objects, both System and Custom, as currently deployed. Some Knowledge Base updates include Common Event migration changes, which are changes to the Common Event metadata filters used by LogRhythm. For more information about Common Event Manager, see Common Event Manager.

  1. If an Action Required message appears, some items need to be updated due to Common Event migration changes. Click Common Event Change Manager.
  2. Do one of the following: 
    • To migrate a Common Event with a preview, select the Action check box for the item. Right-click the grid, select Migrate With Preview, and then select either Common Event To Common Event or Common Event To MPE Rule.
    • To migrate a Common Event without a preview, select the Action check box for the item. Right-click the grid, select Action, and then select either Migrate Common Event to Common Event or Migrate Common Event To MPE Rule.
  3. Click Close.