Skip to main content
Skip table of contents

Create New Base MPE Rules

Before you build any MPE rules, it is highly recommended that you attend the rule building training offered by LogRhythm. For information on training schedules, contact your LogRhythm sales representative.

  1. On the Tools menu, click Knowledge, and then click MPE Rule Builder.
    The Rule Builder window appears.
  2. On the main toolbar, click the New icon, and then click Yes to confirm your choice.
    The Rule Builder appears.
  3. In the General tab in the upper-left quadrant, type a Rule Name.

    When naming a rule, follow these accepted best practices:

    • When the matching log message contains a vendor message ID such as an event ID in Windows Event Logs, it is good to include the ID in the name of the rule. This makes searching for the rule easier and also makes the rule more descriptive of the log that it matches.
    • If the rule matches a log from a logging system that generates logs for a wide variety of services, such as the Windows Application Event Log, the service that generated the log message should be included in the rule name.
    • All rule names should contain a brief description of the action described by the log. For example: EVID 528 : Failed Authentication : Bad Username or Password
  4. To associate the rule with a Common Event, click Common Event.
  5. Click the Rule Status you want.

  6. Type a brief description for the rule.

  7. At the bottom of the quadrant, click the Processing Settings tab and complete the fields.

  8. At the bottom of the quadrant, click the Default Policy Settings tab and complete the fields. Change the following settings as necessary:

    1. Log Data Management Settings. You can choose to override Log Source settings.

    2. Log Processing Settings. Disable Automatic Host Contextualization (AHC). You can also disable AHC on individual sub-rules.

    3. Event Settings. You can choose to forward matching logs to the Platform Manager.

    4. LogMart Settings.

      1. Check the Override Log Source settings check box. The default is unchecked.

      2. Select Forward logs or Don't forward logs. The default is to forward logs.

      3. (Optional) You may click Advanced to select optional fields to store in LogMart. Defaults are shown in the following table.

        FieldDefault
        Origin Host FieldsX
        Impacted Host FieldsX
        ApplicationX
        Source Port
        Destination PortX
        ProtocolX
        LoginX
        AccountX
        GroupX
        DomainX
        Object
        URL
        SenderX
        RecipientX
  9. In the Log Message Source Type Association section in the upper-right quadrant move through the tabs to select a Log Message Source Type and any enter additional information you need.

  10. In the center pane of the Rule Builder window, enter the base rule Regular Expression to determine what items are parsed from a raw log.

  11. In the bottom pane of the Rule Builder window, enter the Sub-Rules by right-clicking the open area on the Sub-Rules tab.

    Use the Test Center tab to test the Regular Expression on log samples.

    Right-click the grid of the Test Center area to display a context menu that contains options to import .LLX files and manually import log messages, including multi-line logs.

    The Test Center cannot process rules that have the "Pattern" prefix. For more information, see Rule Processing Logic.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.