Configuration and Log Processing
LogRhythm can provide additional information depending on how you configure your deployment.
Entities and Known Hosts
Known Hosts are used in LogRhythm to:
- Consolidate and roll-up log message activity.
- Calculate Risk Based Priority and Direction.
- Filter criteria.
A log message is identified with a Known Host using the Windows Host Name(s), DNS Host Name(s), and IP Address(es). The Known Host is resolved in the following order:
- If the Log Source Host Entity is a child entity:
- Search for Hosts within the Log Source Host Root Entity.
- Search for Hosts within other child Entities within the Log Source Host Root Entity.
- If the Log Source Host Entity is a Root Entity, search for Hosts within any child Entities within Log Source Host Entity. This must resolve to a single Host. If the search returns more than one Host, it goes to Step 5.
- If there is a public IP Address, search other Root Entities, but not their child Entities. This must resolve to a single Host. If the search returns more than one Host, it goes to Step 5.
- Search for Hosts within the Global Entity.
- Known Host is not resolved.
Zones
Hosts and Networks are also assigned a Zone value of Internal, External, or DMZ. The Zone is assigned in the following order:
- Use the Zone of the resolved Known Host.
- Use the Zone of the resolved Network.
Use the IP address,
- If the IP Address is private, set the Zone to Internal.
- If the IP Address is public, set the Zone to External.
- If there is no IP Address, set the Zone to Unknown.
GeoLocation
Geographic IP (GeoIP) location levels (Country, Region, City) are shown in Network Visualization graphics.
The level of resolution depends on how you set the GeoIPResolutionMode property in the Data Processor Advanced Properties. If GeoIPResolutionMode is set to None (the default), then GeoIP location cannot be resolved for logs or Network Visualization.