You must be logged in as an Administrator to take this action.
Administrators can create custom sub-rules to classify logs according to specific criteria. To make the process easier, LogRhythm allows you to clone an existing sub-rule, and then add custom filter criteria.
Run an Investigation.
Click the Log Viewer tab.
Select a sample of relevant logs.
Right-click the selected logs and select Copy Selected Logs to Rule Builder and Load Rule.
The sub-rule that is currently classifying the logs is selected in the Sub-Rules tab in the bottom pane.
Right-click the selected sub-rule, and then click Clone.
The Sub-Rule Properties window for the new sub-rule opens.
To make a separate rule, type a new Rule Name.
In the Common Event field, select the Common Event you want.
In the Rule Status field, select Production or Test.This step is necessary to enable the sub-rule in the MPE Policy.
In the Mapping Tags section, select the mapping you want.
On the main toolbar, click Deployment Manager.
Click the Log Processing Policies tab.
Double-click the relevant Log Source Type.
The MPE Policy Editor window appears. The custom sub-rules appear at the top of the list.
Check the box next to the new custom sub-rule.
Right-click the sub-rule and select Properties.
The MPE Policy Rule Editor opens.
Check the Enabled box.
Logs meeting the qualifications of the sub-rule will now be classified according to the Common Event.
- Click OK.