Skip to main content
Skip table of contents

Entities

An Entity represents a physical location where LogRhythm is deployed. It is used to organize the deployment and contain network and host records and LogRhythm components. In small, single-site deployments, one Entity record may be enough, but deployments that span many sites require multiple Entity records.

Global Entity

The Global Entity is part of every deployment and is used to declare hosts and networks residing outside internal or organic networks. The Message Processing Engine (MPE) uses this information to match rules and create Events. For example, a network range could be defined for an IP address range prone to security risks. Then you could create Alarm Rules to notify someone each time the internal IDS registered an attack from these IPs. For more information, see Global Risk Based Priority.

Users may not remove the Global Entity or perform tasks such as deploying Data Processors or Agents in it. Such tasks can only be performed within user-created Entities.

The Global Entity is intentionally unlisted except in the Deployment Manager, in the Entity tab where it is always at the top of the tree.

Primary Site Entity

In every deployment, a Primary Site Entity is listed after the Global Entity. It is the default, user-definable Entity. If you have the proper credentials, you can modify its name and properties and add additional Entities.

Entity Relationships to Networks and Hosts

The Message Processing Engine (MPE) uses Network and Host records to set the Risk-Based Priority (RBP) and to associate the log and associated event to a known host. The Entity acts as a boundary for the MPE. The MPE only analyzes a log message against the Network and Host records of the Entity where the sending Agent is assigned. For example, if the sending Agent is assigned to the Site1 Entity, the MPE only analyzes log messages against Network and Host records that are also assigned to Site1. It is very important to keep this in mind when you create the Entity structure and assign Agents, Networks, and Host records.

If you have sites that have overlapping IP space, you must create separate entity records for each site.

Origin and Impacted Entities

An Origin and Impacted Entity is assigned to every log message based on the following hierarchy:

  1. Use the Entity associated with resolved Known Host.
  2. Use the Entity associated with resolved Known Network.
  3. Use the IP Address:
    • If there is an IP Private address, use Root Entity of Log Source Host.
    • If there is an IP Public address, use the Global Entity.
    • If there is no IP address, use Root Entity of Log SourceHost.

This approach assumes an unresolved IP address that is not resolved to a known host or network, which is not a Private IP address, is most likely an external address and should be assigned to the Global Entity.

The Entity resolution performed in the MPE assigns Origin and Impacted Entity based on finding matching Host Identifiers assigned to Hosts in the respective Entities and DOES NOT fall back to matching on network ranges assigned to Networks. Furthermore, the Origin and Impacted Entity values resolved by the MPE are what gets saved to a Data Indexer record.

The Origin and Impacted Entity Networks are determined by matching on network ranges for Networks defined in the entity structure.

Entities Reorganization Wizard Overview

The Reorganization Wizard provides a method for LogRhythm administrators to migrate Host and Network records between Entities. This enables logical restructuring of the log management system to match real-world changes in network topology and system placement.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close