Log Source Identification and Acceptance
New Log Sources are saved in a separate Acceptance table (the New Log Sources grid) pending a direct action on the part of the user. This includes the following log source types:
- Syslog (TCP/UDP)
- Cisco NetFlow
- IPFIX
- Juniper J-Flow
- sFlow
- SNMP Traps
Additionally, two configurable identification process, Automatic Log Source Configuration and Log Source Preregistration, are available to allow LogRhythm to identify the source for you.
On the Log Sources tab, the New/Pending Log Sources can be viewed in the New Log Sources upper grid. The lower grid includes the active Log Sources that have already been accepted.
In the New Log Source tab, the following columns appear:
Column | Description |
---|---|
Action | Batch actions operate on all checked rows. |
Status | Incomplete. The new log source has not been identified by the system yet. The user can act on the record now, or wait for the system to finish identifying it. When finished, the record status will be changed to Pending; however, the user will have to manually refresh the list to see the latest values from the database. Pending. The new log source is waiting for the user to accept or reject it. Rejected. The user has rejected the new log source. You should disable transmission of logs from the sending device prior to deleting the acceptance record or another pending log source will be generated. |
Search Scope | The search scope associated with the search result. For example, if duplicates were found at the Root Entity level, then this field would display Root Entity, even though the System Monitor might be configured for Global search scope. For information on changing the search scope of a System Monitor, see Set the Log Source Identification Search Scope. |
Search Result | The reason the Log Source search failed and a new log source acceptance record was created. There are two possible values: No matching log source found, or multiple matching log sources found. |
Log Interface | This is the interface associated with the log, such as Syslog. |
Device IP Address | The IP address that was either parsed out of the log message or determined by the message origin. May be IPv4 or IPv6, but never both. May be blank; however, either the log host or the IP address must be known. They cannot both be blank. |
Log Host Name | The computer or device name that was either parsed out of the log message or determined by the message origin. May be blank. Hostnames with a space are not supported by LogRhythm software. |
Log Source Host | This lets the user know if a new host record will be created for this log source or it will use an existing host record. Must be resolved via the context menu. If the host has never been resolved, the resolved known host column will display blank values. When the user Resolves Known Host, the value will be populated. If a matching host is found, it appears. If matching host is not found, then the New Host – [entity]:[hostname] appears. |
Log Source Type | If the log source type cannot be identified, then the user will have to assign a log source type before the record can be accepted. |
MPE Policy | The policy, if any, this is applied to this log source. |
Log Source Name | Default value is [host name] [log source type abbreviation], but the user can edit the name. |
Collection Host | Host performing the collection. |
Last Time Seen | The most recent time a request for this log source was received. Used to verify that requests are no longer being received prior to deleting the record. This value must be manually refreshed. |