Create Custom Log Source Types
You must be logged in as an Administrator to take this action.
To customize sub-rules, you can create your own log source type, clone the Catch-All base rule to your new log source type, and then add sub-rules based on the sample logs coming in.
For more information on base rules and sub-rules, see Message Processing Engine Rule Builder.
Create a New Log Source Type
- On the main toolbar, click Deployment Manager.
On the Tools menu, click Knowledge, and then click Log Source Type Manager.
The Log Source Type Manager appears.In the top-left corner, click the green plus to create a new log source type.
Complete the Name and Abbreviation fields.
- Select a Log Format from the list. In most cases, the format will be syslog.
(Optional) Complete the Brief Description and Additional Details fields.
Click OK.
The new log source type appears at the bottom of the grid.- Click Close.
Create a New MPE Rule
- On the Tools menu, click Knowledge, and then click MPE Rule Builder.
The Rule Builder window appears. - In the Log Message Source Type Associations section on the right, expand Custom Log Source Types.
The new log source type you added appears in this section. - Select the check box for the new log source type.
In the General section on the left, enter a rule name.
When naming a rule, follow these accepted best practices:
- When the matching log message contains a vendor message ID, such as an event ID in Windows Event Logs, include the ID in the name of the rule. This makes searching for the rule easier and also makes the rule more descriptive of the log that it matches.
- If the rule matches a log from a logging system that generates logs for a wide variety of services, such as the Windows Application Event Log, include the service that generated the log message in the rule name.
- Use rule names that contain a brief description of the action described by the log. For example: EVID 528 : Failed Authentication : Bad Username or Password
- To associate the rule with a Common Event, click the icon to the right of the Common Event field.
Use the filters to select the Common Event you want, and then click OK.
For more information on Common Events, see the Common Event Manager topic.
In the General section on the left, select Production in the Rule Status Field. Rules must be set to production for the log source type to be available in the Client Console.
In the Base-rule Regular Expression section, enter the following regex: .*?
- In the upper-left corner of the Rule Builder, click the black save icon, and then click the yellow folder to open the Rule Library.
In the menu on the left, search for the log message source type you created, and then click it to see the associate MPE Rule you created.
After you verify it is there, you can close the Rule Browser.
Create a New Log Processing Policy
- On the main SIEM toolbar, click Deployment Manager.
- Click the Log Processing Policies tab.
- In the top-left corner, click the green plus to create a new log processing policy.
The Log Source Type Selector appears. - Use the filters to find the log source type you created in step 3 of Create a New Log Source Type. Select it, and then click OK.
- Enter a name for the new MPE policy.
- In the grid, select the Edit check box for the rule you want, right-click the rule, and then select Properties.
- Select the Enabled check box but leave the rest of the default settings.
- To complete the policy creation, click OK, and then click OK again.
- In the Log Processing Policies grid, use the filters to find the policy you created.
- Find the Policy ID column (by default, it is the last column on the right), and take note of the value there.
You need this value to create the Log Source Virtualization Template.
Configure the Log Source Virtualization Template
Before you complete this procedure, you need to create a log source virtualization template. For more information, see Create Log Source Virtualization Templates.
- In the Client Console, click Deployment Manager on the main toolbar.
- On the Tools menu, click Administration, and then click Log Source Virtualization Template Manager.
Right-click anywhere within the Log Source Virtualization Template Manager window, click Action, and then click Import.
The Import dialog box displays.Browse to the template you created.
Click Open.
The Import Successful message appears.- After the template loads and is visible in the grid, click Close.
- On the Deployment Manager tool bar, select the Log Sources tab.
- In the grid, double-click the custom parent log source you created in the Create a New Log Source Type procedure.
The Log Message Source Properties dialog box appears. - Select the Log Source Virtualization tab, and then click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears. - Scroll to the bottom of the list to verify that the newly created log source is present. Then click Save.
A confirmation message appears. - To continue, click OK.
- In the Log Sources grid, use the Log Source Name to find the newly added log source and double-click it.
The Log Message Source Properties dialog box appears. - To the right of the Log Message Source Type field, click the log message source type selector icon.
The Log Source Type Selector appears. - Use the filters to find the log source type you created, select it, and click OK.
- In the Log Message Processing Engine (MPE) Policy field, select the MPE policy you created in the Create a New Log Processing Policy procedure.
- Click OK.