Before beginning these instructions, record the Regex of the original log source.
- On the main toolbar, click Deployment Manager.
- On the Tools menu, click Administration, and then click Log Source Virtualization Template Manager.
At the bottom of the dialog box, click the Virtual Log Source Manager button.
The Virtual Log Source Manager appears.
On the upper-left side of the Virtual Log Source Manager dialog box, click the New Template Item icon.
In the Virtual Log Source Name field, type a name.
In the Identifier Regex text box, specify a regex pattern that identifies the virtual (child) log source.The Identifier Regex is a regular expression to match the log message. For example, you might want to split Office 365 Management Activity API logs into one log source per service (Exchange, Sharepoint, Azure Active Directory). For a log like:
TS=2018-05-01T15:27:14 SESSID=123 COMMAND=MailboxLogin USERTYPE=Regular USERKEY=123 WORKLOAD=Exchange RESULTCODE=Succeeded
the Identifier Regex for Exchange would be:
The Identifier Regex that matches both Sharepoint and OneDrive would be:
(Optional) If you want to drop all logs matching the specified regex, select the Drop Logs check box.
If you enable the Drop Logs option, you cannot select a Log Message Source Type or MPE Policy. The Log Source Type is LogRhythm Filter, and the LogRhythm Default MPE policy is applied. At this point, you can save the virtual log source.
To search for a log source type, click the Log Message Source Type icon.
The Log Source Type Selector dialog box appears.
To narrow the list of log source types, select a Record Type Filter and/or type a Text Filter.
To include retired log source types in the list, select the Show Retired check box in the lower-left corner of the dialog box.
In the Log Source Type list box, select the appropriate log source type, and then click OK.
On the Log Processing Message Engine (MPE) Policy menu, click an MPE policy.
The virtual log source is created and ready to use.