Create Global Log Processing Rules

  Only Global Admins and Restricted Admins with elevated View and Manage privileges can take this action.

You can create a GLPR using the Global Log Processing Rule Manager or using a log message that is returned by a Tail or an Investigation. The process of defining the rule criteria is the same for each method.

If a log does not match GLPR filter criteria, it is processed according to the Classification Based Data Management (CBDM) or standard Data Management settings.

Example 1: Create a GLPR to override indexing, and the override specifies Don't Index:

• A log does not match the GLPR filter criteria.
• The classification is set to index based on a Global Classification setting in CBDM.
• In this case, the log will be indexed.

Example 2: Create a GLPR to override indexing, and the override specifies Don't Index:

• A log matches the GLPR filter criteria.
• The classification is set to index based on a Global Classification setting in CBDM.
• In this case, the log will not be indexed.

To create a rule from a Tail or an Investigation, right-click one of the logs or events, and then click Create Global Log Processing Rule. You will be prompted to define some of the rule criteria using most of the metadata in the log message or a limited set of the metadata. After selecting the metadata option for the rule criteria, the Global Log Processing Rule Wizard appears. Skip to step 4 in the following procedure.

To create a GLPR:

1. On the main toolbar, click Deployment Manager.
2. On the Tools menu, click Administration, and then click Global Log Processing Rule Manager.
   The Global Log Processing Rule Manager appears.
3. Click the New Rule icon.
   The Global Log Processing Rule Wizard opens to the Classification tab.
4. Click Add Item.
   The Classification Selector appears.
5. Select an option from the Classification Type Filter list.
   The Classification list populates.
6. Select one or more items from the Classification list.
7. Click OK to return to the Global Log Processing Rule Wizard.
8. Repeat the process to add as many additional filters as needed.
9. Under Risk Based Priority (RBP) Criteria, specify a minimum Risk Based Priority (RBP) log messages must meet to match the rule.
10. Click Next.
    You move to the Include Filters tab. For more information, see Filters—Include Filter.

11. Click Next.
    You move to the Exclude Filters tab. For more information, see Filters—Exclude Filter.

    

    An Include or Exclude Filter is required.

12. Click Next.
    You move to the Log Source Criteria.
13. Select one of the following:
    1. Include All Log Sources. This is the default.
    2. Include Log Sources from the Selected Lists. Selecting this option populates the grid below, where you can select the lists you want.
    3. Include the Selected Log Sources. Selecting this option populates the grid below, where you can select the log sources you want.
14. Click Next to proceed to the Settings tab.

15. Select the overrides you want according to the information in the following table.

    

    You must configure at least one override setting when creating a GLPR.

    Override Settings
    Setting	Description
    Log Data Management Settings
    Override Archiving	Archive or Don't Archive Determines whether matching logs should be stored in offline archive files.
    Override Index	Index or Don't Index Determines whether matching logs should be indexed in the online repository (also referred to as ‘Drop Whole Log’ in other areas of the product).
    Override Drop Raw Log	Store Raw Log or Don't Store Raw Log Determines whether raw logs should be stored.
    Override Common Event	Select this option and then select an alternate Common Event to forward to the Data Indexer, Platform Manager, or LogMart. When this option is enabled, the Override Common Event option under Event Management Settings is selected as read-only, and its value will be updated. Example: To configure LogRhythm to watch for Dropped Packet logs that are outbound and on a specific port that you suspect have been recruited into a botnet, change the Common Event to Dropped Packet: BotNet Traffic.
    Event Management Settings
    Override Event Forwarding	Forward as Event, Don't Forward as Event, or Ignore Global Risk Based (RBP) Criteria Determines whether matching logs should be forwarded as an Event and stored in the Platform Manager Database.
    Override RBP Value Assigned	Overrides the assigned RBP value. Specify a value between 0 and 100.
    Override Risk Rating	Allows you to apply a custom Risk Rating to matching logs.
    Override False Alarm Rating	Allows you to apply a custom False Alarm Rating to matching logs.
    Override Common Event	Select this option and then select an alternate Common Event to forward to the Platform Manager. This does not change the log's Common Event. To do this, you must enable the Override Common Event option under Log Data Management Settings. Example: To configure LogRhythm to watch for Dropped Packet logs that are outbound and on a specific port that you suspect have been recruited into a botnet, change the Common Event to Dropped Packet: BotNet Traffic.
    LogMart Settings
    Override LogMart Forwarding	Forward to LogMart or Don't Forward to LogMart Determines whether matching logs should be forwarded to the LogMart database.
    Override LogMart Aggregation	Determines whether matching logs should be grouped together using customizable LogMart Record Fields. Click Settings to specify the optional fields that will be stored as part of every LogMart record.
    Advanced Intelligence (AI) Engine Settings
    Don't Forward Logs to AI Engine	Overrides the option to forward logs to AI Engine.

16. Click Next to proceed to the Information tab.
17. Enter a name for the rule (required) and an optional description.
18. If you want to set an expiration date for the rule, select the Configure Expiration Date check box and specify the date and time when the rule should expire.
19. Click OK.