Create Custom MPE Sub-Rules

You must be logged in as an Administrator to take this action.

Administrators can create custom sub-rules to classify logs according to specific criteria. To make the process easier, LogRhythm allows you to clone an existing sub-rule, and then add custom filter criteria.

Refer to the topic Tag1-Tag5 for information on including generic tags in your custom subrules. These generic tags (<tag1> through <tag5>) are required to create sub-rules for fields in the LogRhythm Schema Dictionary that are marked with [7.2].

1. Run an Investigation.

2. Click the Log Viewer tab.

3. Select a sample of relevant logs.

4. Right-click the selected logs and select Copy Selected Logs to Rule Builder and Load Rule.
   The sub-rule that is currently classifying the logs is selected in the Sub-Rules tab in the bottom pane.

5. Right-click the selected sub-rule, and then click Clone.
   The Sub-Rule Properties window for the new sub-rule opens.

6. To make a separate rule, type a new Rule Name.

7. In the Common Event field, select the Common Event you want.

8. In the Rule Status field, select Production or Test.This step is necessary to enable the sub-rule in the MPE Policy.

9. In the Mapping Tags section, select the mapping you want.

10. Click OK.

11. On the main toolbar, click Deployment Manager.

12. Click the Log Processing Policies tab.

13. Double-click the relevant Log Source Type.
    The MPE Policy Editor window appears. The custom sub-rules appear at the top of the list.

14. Check the box next to the new custom sub-rule.

15. Right-click the sub-rule and select Properties.
    The MPE Policy Rule Editor opens.

16. Check the Enabled box.
    Logs meeting the qualifications of the sub-rule will now be classified according to the Common Event.

17. Click OK.