Define a Text File Notification Policy

File-based alarm notification is implemented as a Contact Method and Notification Type in the ARM. 

1. On the main toolbar, click Deployment Manager.

2. Click the People tab.

3. Add a Person Record or Role, or open an existing Person or Role record, such as the LogRhythm Administrator.

4. From the Contact Method Type list, select Text File.

5. At the end of Alarm Notification Policy field, click the ellipsis [...] button.
   The Notification Policy Manager appears.

6. On the File menu, click New Text File Policy to create a new policy.

7. The Create/Assign Policy? dialog box appears.

8. To clear the dialog box, click OK.
   The Text File Notification Policy dialog box appears.

9. Configure the policy using the fields described in the following table.

   Field	Description
   Policy Name	Enter a name for this policy
   Brief Description	(Optional) Enter a brief description of the policy
   Base File Path	Can represent a file or an existing directory with a training \. Directories will not be created. Must be a fully qualified path, not a relative path (..\..\MyAlarms\). May be a local path (D:\Alarms\) or a UNC path (\\LR-ARM-NYC\Alarms\). Must include a directory. Invalid = D:\Valid = D:\Alarms\. Invalid = \\LR-ARM-NYC\Valid = \\LR-ARM-NYC\Alarms\ Windows file path maximum = 260 characters. The ARM Service needs permission to write to this path. The ARM appends a time stamp formatted yyyyMMdd_HHmmss_fffffff to the base file name between the file name and extension with the local file creation time. Examples: Output20101114_023933_1234567.dat LogRhythmAlarms20101114_023933_1234567.txt The Base File Path may be a: File path. Example: D:\Alarms\Alarms.txt Directory path. Example: D:\Alarms\ UNC path. Example: \\FileSrv03\Alarms\
   Field Delimiter	Is always inserted between the fields: Comma Semicolon Pipe Tilde Unit separator (ASCII 31) If Quote String Values is unchecked, then the ARM replaces any instances of the selected field delimiter character in the original string values. Tab is replaced with 4 spaces. Other delimiters are replaced by a ? (question mark).
   Record Delimiter	Is always appended to each alarm record. To prevent an alarm record from wrapping prematurely, the ARM replaces all the following supported record delimiters with an escape value: Carriage Return + Line Feed (default) Replaced with \r\n Carriage Return Replaced with \r Line Feed Replaced with \n Record Separator (ASCII 30) Replaced with \^
   Text Encoding	ASCII (default) single-byte 128 characters UTF-8 variable-byte-length, complete Unicode character set Windows1252 single byte extended ASCII with accented Latin-1 characters
   Include Header Row	When checked, a header row will be written as the first line of each text file: The fields of the header row correspond to the names of the Include Alarm Fields. The Field Delimiters and Row Delimiter are the same as for data rows. Example: AlarmID,Alarm Date,Alarm Rule Name,Event Count
   Quote string values	Default = checked, meaning all Character Alarm Fields are enclosed in double-quotes. All double-quote characters in the original string are converted to single-quotes. Other data types will not be affected by this check box. Examples when unchecked: HIPPA: Alarm On Attack Alarms when firewall says, "Interface Down" Examples when checked: "HIPPA: Alarm On Attack" "Alarms when firewall says, 'Interface Down'"
   Include time zone in dates	When unchecked, all date values inside the file use the following date and time format: 2010-11-14 11:22:36 AM When checked, all date values inside the alarm file include the ISO 8601 time zone offset (±hhmm). Examples: (Colorado): 2010-11-14 11:22:36 AM-07:05 (Hawaii): 2010-12-03 08:16:34 AM-10:00 For Hawaii, read “AM-10:00” as “UTC minus 10 hours and 00 minutes”. The time zone offset represents the selected time zone geography and is not affected by Daylight Savings Time.
   Time Zone	Must be selected from the list. The local time zone is selected by default. All Alarm Field date values are converted from UTC to the selected Time Zone. The timestamp that is appended to the file name is the current time in the selected Time Zone. The operating system (Windows Explorer) always displays the file Created, Modified and Accessed dates using the local system time zone. However, when the Text File Notification Policy specifies file rollover based on a time interval, the ARM converts the file creation date to the selected Time Zone to determine whether it should perform rollover. For example, a file policy specifies the UTC Time Zone and Daily rollover on an ARM host in the Mountain Time Zone. When an alarm is triggered, the ARM reads the current file creation time and converts that time to the selected Time Zone (UTC), then applies the Time Interval rollover settings. If the file was created on 11/19/2010 UTC and the current UTC time is 11/20/2010 UTC, then the ARM will rollover to a new file before writing the alarm.
   File Rollover - Time Interval	When a Text File alarm notification is generated, the ARM compares the current date of the system clock to the alarm file creation time (both times are converted to the selected Time Zone): None. The ARM does not rollover the file based on the current date. Daily. The ARM creates a new file if the current file was created on any other day in the past. Weekly. The ARM creates a new file if the current file is at least 7 days old – OR – if the current file was created last week. Sunday AM will be considered the start of a new week. If the current file was created on Fri, August 3rd and the File Rollover Interval is set to Weekly, the file rolls over on Sun, August 5th after midnight. Monthly. The ARM creates a new file if the current file was created during a month and year in the past. File rollover occurs if either the Time Interval or the File Size setting is reached, whichever comes first whenever you modify and save a Text File Notification Policy, the ARM rolls over the associated file
   File Rollover - Max Size	Enter the [Integer] KBytes. After the file size has reached at least N Kbytes, the next alarm will cause a new file to be created. This value is multiplied by 1024 and compared to the file bytes. The default value is 1000 KBytes, which is 1MB (1K = 1024 bytes). For example, enter 2000 Kbytes to rollover after the file size has reached 2MB. This is not an absolute maximum – the ARM does not prevent the file size from exceeding the specified size. The ARM rolls over when the file size meets or exceeds the specified size. Entering a value of 0 KBytes causes the ARM to ignore the file size, preventing rollover based on file size.
   Include Alarm Fields and First Message Fields	Select the items to include and use the up/down arrows to put them in the order you want.

10. To save the policy, click OK.

11. To close the Notification Policy Manager, click OK.

12. To add the new Contact Method to the Contact Methods list, click Save.

13. To save the Person Properties, click OK.

14. Use the Alarm Rule editor’s Notify tab (or the Batch Notification Editor) to add the Person or Role to one or more Alarm Rules.

15. Ensure that the Alarm Rules are Enabled and properly configured with Log Source Criteria.