Add a Single Log Source
You must be logged in as an Administrator to take this action.
- On the main toolbar, click Deployment Manager.
- Click the System Monitors tab.
- Select the Agent where you want to add a Log Source.
- Right-click the selection and click Properties.
The System Monitor Agent Properties window opens. - Right-click in the lower pane and select New to open the Log Message Source Properties window.
In the Basic Configuration tab, enter the appropriate information.
Property Description Basic Configuration Tab Log Source Host
The Host for the log file.
Collection Agent The System Monitor Agent performing the log collection. Log Message Source Type The type of source of the log data. Example, Microsoft Event Log - Security. The Log Source Type Selector lets you choose between System Log Sources and Custom Log Sources that you have created. For more information, see Log Source Types.
You must create parsing rules for the new, custom log sources before data can be parsed from the logs. Contact LogRhythm Support to submit a request for parsing rules for a new Log Source Type. Users who attended LogRhythm Rule Building training can create their own custom parsing rules.
Log Message Source Name The name of the log source being configured. Brief
DescriptionDescription of the log source being configured. Log Message
Processing ModeEnable or disable processing or event forwarding. Log Message Processing Engine (MPE) Policy Select the MPE Policy to assign to the log source being configured. Forward Logs to LogRhythm LogMart Select to enable log forwarding to LogMart.
A GLPR can override log forwarding to LogMart.
In the Additional Settings tab, enter the appropriate information.
Property Description Additional Settings Tab Virtualization Settings
A virtualized Log Source collects logs from more than one real source (multiple switches, access points, etc.) via the Agent's syslog. The identifiers are data that would trigger the Agent to assign the log to this virtual Log Source. Select the check box for the identifier you want.
Log Data Management and Processing Settings - Don't Archive. A copy of the logs is not written to archive.
- Drop Whole Log. Log messages are not indexed or written to the Events DB or LogMart. Logs are archived unless Don't Archive is selected.
- Drop Raw Log. Only log metadata is indexed. Logs are archived unless Don't Archive is selected.
Silent Log Message Source Settings - Enable Silent Log Message Source Detection. Select to begin detecting Silent Log Message Sources.
- Issue Warning After n hours and n minutes. Set time frame before a Warning is issued due to a log source not being received.
- Issue Error After n hours and n minutes. Set time frame before an Error is issued due to a log source not being received.
Start Collection from the Beginning of the Log When enabled, the System Monitor Agent starts the log collection at the beginning of the log to obtain all historical Event Logs. Collecting historical data can be time intensive lasting hours to days to catch up with real-time data.
When disabled, the log collection starts real-time at the current time and date.Load Balanced Log Source Indicates that this Log Source is a load balanced Log Source. Be sure the Agents that receive load balanced log sources are configured to communicate with all Mediators that are used for load balancing for that set of Agents. Configuring these Agents to communicate with only some of the Mediators in the set will result in errors. For more information, see Load Balancing.
In the Flat File Settings tab, enter the appropriate information. For additional information on collecting local flat files and Windows Extended Event log, see Configure a Host for Local Flat File Collection.
Property Description Flat File Settings Tab File Path Define the path to the directory or log file.
Examples: Directory path = C:\Logs; Log file path = C:\Logs\error.log
If you enter a directory path, you must enable the Is Directory field.
If you enter a log file path, you cannot enable the Is Directory field.
Date Parsing
FormatDefine regular expression (Regex) patterns to be used by a System Monitor Agent for parsing date information from log files.
To open the Date Format Manager, click the ellipsis [...] button after the Date Parsing Format field. Select an existing date parsing format or create a new one by clicking File, and then clicking New.
Multiline Log Message Settings
- Log Message Start Regex. Serves to indicate the start of a multiline log entry. If a line read for a log file matches this Regex string, it indicates the beginning of a new log entry.
- Log Message Delimiter Regex. Serves to indicate that the current line delimits log entries. When the line matches the Regex string, it indicates that the previous entry is complete and a new log entry follows on the next line. The line matched by the Log Message Delimiter Regex is discarded and not included in any log entry.
- Log Message End Regex. Serves to indicate the end of a multi-line log entry. If a line read from a log file matches this Regex string, it indicates the end of the current log entry. The line matched is included in the log entry.
Usually, only one of the three parameters is necessary, dependent upon which configuration parameter offers the most simplistic Regex.
For additional information, see Multi-Line Log Collection.
Directory Collection
Is DirectorySelect to indicate that the file path entered above is a directory. Selecting this box allows files to be collected recursively through the directory and enables the other fields in the Directory Collection area. Watch File Rename On Rollover Check this box when collecting log files that are renamed on rollover. Uncheck this box when collecting logs that do not get renamed on rollover. Recursion Depth Select a number to indicate the number of folder levels relative to the File Path entry.
Example: When the path = C:\Logs
The depth for files in C:\Logs = 0
The depth for files in C:\Logs\20100430 = 1
Inclusions If you do not want to collect logs from all files, add the inclusions required.
Inclusion is extremely flexible and allows a complex use of wildcards. It is based on the model used in File Integrity Monitor. If you are not familiar with how Inclusion functions in FIM, read the FIM section Inclusion and Exclusion Filters for detailed information before you complete this field.
Exclusions If you do not want to collect logs from all files, add the exclusions required.
Exclusion is extremely flexible and allows a complex use of wildcards. It is based on the model used in File Integrity Monitor. If you are not familiar with how Exclusion functions in FIM, read the FIM section Inclusion and Exclusion Filters for detailed information before you complete this field.
Compression Type Select the type of compression (for example, gzip, tar, targzip, bzip2, zip, or none). File Path
Date Parsing Format
Open the Date Format Manager by clicking the ellipsis [...] button after the Date Parsing Format field.
To select a system date format or create a new one, click the File menu, and then click New.
Multiline Log Message Settings
Directory Collection
Compression Type
Enter the appropriate information in the UDLA Settings tab (Universal Database Log Adapter). For more information, see Configure UDLA Log Collection.
Property Description UDLA Settings Tab ODBC / OLE DB Select the ODBC or OLE DB connection type. Connection String The connection string for the UDLA Log Message Source. Query Statement The SQL select statement that returns the fields comprising the log entry. The select statement must contain a state field and unique identifier fields. Output Format Determine how to format the returned rows as text. Unique Identifier Field Determine how an absolute unique record identifier is defined. This value is used for state tracking. Can be a list of comma separated fields. Message Date Field Determine which field is used for determining log message date. The value parsed from this field is stored in Msg.MsgDate. This value is also normalized and stored in Msg.NormalMsgDate. State Field Type Determine how state tracking is performed. State Field Determine which table column to use for state tracking. State Field Conversion The SQL statement required to convert the state column (if applicable). Get UTC Date Statement The SQL statement that returns the current system time in UTC for use in date normalization. In the Additional Info tab, enter any additional notes or information.
Property Description Additional Info Tab Additional Details A text field to add descriptive information about the log source. Event Log Filter (XML query) A text field to add an XML query.
For information on creating and testing an XML query, see the Microsoft Tech Community post on Advanced XML filtering in the Windows Event Viewer.The Event Log Filter text field is only enabled for the Vista Event Log type. All MS Windows Event Logging log sources are included in the Vista Event Log type.
Click OK.