Skip to main content
Skip table of contents

Add a Single Log Source

You must be logged in as an Administrator to take this action.

  1. On the main toolbar, click Deployment Manager.
  2. Click the System Monitors tab.
  3. Select the Agent where you want to add a Log Source.
  4. Right-click the selection and click Properties.
    The System Monitor Agent Properties window opens.
  5. Right-click in the lower pane and select New to open the Log Message Source Properties window.
  6. In the Basic Configuration tab, enter the appropriate information.

    PropertyDescription
    Basic Configuration Tab

    Log Source Host

    The Host for the log file.

    Collection AgentThe System Monitor Agent performs the log collection.
    Log Message Source Type

    The type of source of the log data. Example, Microsoft Event Log - Security. The Log Source Type Selector lets you choose between System Log Sources and Custom Log Sources that you have created. For more information, see Log Source Types.

    You must create parsing rules for the new, custom log sources before data can be parsed from the logs. Contact LogRhythm Support to submit a request for parsing rules for a new Log Source Type. Users who attended LogRhythm Rule Building training can create their own custom parsing rules.

    Log Message Source NameThe name of the log source being configured.
    Brief
    Description
    Description of the log source being configured.
    Log Message
    Processing Mode
    Enable or disable processing or event forwarding.
    Log Message Processing Engine (MPE) PolicySelect the MPE Policy to assign to the log source being configured.
    Forward Logs to LogRhythm LogMart

    Select to enable log forwarding to LogMart.

    A GLPR can override log forwarding to LogMart.

  7. In the Additional Settings tab, enter the appropriate information.

    PropertyDescription
    Additional Settings Tab

    Virtualization Settings

    A virtualized Log Source collects logs from more than one real source (multiple switches, access points, etc.) via the Agent's syslog. The identifiers are data that would trigger the Agent to assign the log to this virtual Log Source.

    Select the check box for the identifier you want.

    Load Balanced Log Source

    Enable this setting when using Load Balanced Agent Groups and DP Pooling. When enabled the Log Source is a load-balanced Log Source. Be sure the Agents that receive load-balanced log sources are configured to communicate with all Mediators that are used for load balancing for that set of Agents. Configuring these Agents to communicate with only some of the Mediators in the set will result in errors. For more information, see Load Balancing.

    Log Data Management and Processing Settings
    • Don't Archive. A copy of the logs is not written to the archive.
    • Drop Whole Log. Log messages are not indexed or written to the Events DB or LogMart. Logs are archived unless Don't Archive is selected.
    • Drop Raw Log. Only log metadata is indexed. Logs are archived unless Don't Archive is selected.
    Silent Log Message Source Settings
    • Enable Silent Log Message Source Detection. Select to begin detecting Silent Log Message Sources.
    • Issue Warning After n hours and n minutes. Set a time frame before a Warning is issued due to a log source not being received.
    • Issue Error After n hours and n minutes. Set a time frame before an Error is issued due to a log source not being received.
    Start Collection from the Beginning of the LogWhen enabled, the System Monitor Agent starts the log collection at the beginning of the log to obtain all historical Event Logs. Collecting historical data can be time intensive lasting hours to days to catch up with real-time data.
    When disabled, the log collection starts in real time at the current time and date.
  8. In the Flat File Settings tab, enter the appropriate information. For additional information on collecting local flat files and Windows Extended Event log, see Configure a Host for Local Flat File Collection.

    PropertyDescription
    Flat File Settings Tab
    File Path

    Define the path to the directory or log file.

    Examples: Directory path = C:\Logs; Log file path = C:\Logs\error.log

    If you enter a directory path, you must enable the Is Directory field.

    If you enter a log file path, you cannot enable the Is Directory field.

    Date Parsing
    Format

    Define regular expression (Regex) patterns to be used by a System Monitor Agent for parsing date information from log files.

    To open the Date Format Manager, click the ellipsis [...] button after the Date Parsing Format field. Select an existing date parsing format or create a new one by clicking File, and then clicking New.

    Multiline Log Message Settings

    • Log Message Start Regex. Serves to indicate the start of a multiline log entry. If a line read for a log file matches this Regex string, it indicates the beginning of a new log entry.
    • Log Message Delimiter Regex. Serves to indicate that the current line delimits log entries. When the line matches the Regex string, it indicates that the previous entry is complete and a new log entry follows on the next line. The line matched by the Log Message Delimiter Regex is discarded and not included in any log entry.
    • Log Message End Regex. Serves to indicate the end of a multi-line log entry. If a line read from a log file matches this Regex string, it indicates the end of the current log entry. The line matched is included in the log entry.

    Usually, only one of the three parameters is necessary, dependent upon which configuration parameter offers the most simplistic Regex.

    For additional information, see Multi-Line Log Collection.

    Directory Collection
    Is Directory
    Select to indicate that the file path entered above is a directory. Selecting this box allows files to be collected recursively through the directory and enables the other fields in the Directory Collection area.
    Watch File Rename On RolloverCheck this box when collecting log files that are renamed on rollover. Uncheck this box when collecting logs that do not get renamed on rollover.
    Recursion Depth

    Select a number to indicate the number of folder levels relative to the File Path entry.

    Example: When the path = C:\Logs

    The depth for files in C:\Logs = 0

    The depth for files in C:\Logs\20100430 = 1

    Inclusions

    If you do not want to collect logs from all files, add the inclusions required.

    Inclusion is extremely flexible and allows a complex use of wildcards. It is based on the model used in File Integrity Monitor. If you are not familiar with how Inclusion functions in FIM, read the FIM section Inclusion and Exclusion Filters for detailed information before you complete this field.

    Exclusions

    If you do not want to collect logs from all files, add the exclusions required.

    Exclusion is extremely flexible and allows a complex use of wildcards. It is based on the model used in File Integrity Monitor. If you are not familiar with how Exclusion functions in FIM, read the FIM section Inclusion and Exclusion Filters for detailed information before you complete this field.

    Compression TypeSelect the type of compression (for example, gzip, tar, targzip, bzip2, zip, or none).
    • File Path

    • Date Parsing Format

      1. Open the Date Format Manager by clicking the ellipsis [...] button after the Date Parsing Format field.

      2. To select a system date format or create a new one, click the File menu, and then click New.

    • Multiline Log Message Settings

    • Directory Collection

    • Compression Type

  9. Enter the appropriate information in the UDLA Settings tab (Universal Database Log Adapter). For more information, see Configure UDLA Log Collection.

    PropertyDescription
    UDLA Settings Tab
    ODBC / OLE DBSelect the ODBC or OLE DB connection type.
    Connection StringThe connection string for the UDLA Log Message Source.
    Query StatementThe SQL select statement that returns the fields comprising the log entry. The select statement must contain a state field and unique identifier fields.
    Output FormatDetermine how to format the returned rows as text.
    Unique Identifier FieldDetermine how an absolute unique record identifier is defined. This value is used for state tracking. Can be a list of comma separated fields.
    Message Date FieldDetermine which field is used for determining log message date. The value parsed from this field is stored in Msg.MsgDate. This value is also normalized and stored in Msg.NormalMsgDate.
    State Field TypeDetermine how state tracking is performed.
    State FieldDetermine which table column to use for state tracking.
    State Field ConversionThe SQL statement required to convert the state column (if applicable).
    Get UTC Date StatementThe SQL statement that returns the current system time in UTC for use in date normalization.
  10. In the Additional Info tab, enter any additional notes or information.

    PropertyDescription
    Additional Info Tab
    Additional DetailsA text field to add descriptive information about the log source.
    Event Log Filter (XML query)

    A text field to add an XML query. 

    For information on creating and testing an XML query, see the Microsoft Tech Community post on Advanced XML filtering in the Windows Event Viewer.

    The Event Log Filter text field is only enabled for the Vista Event Log type. All MS Windows Event Logging log sources are included in the Vista Event Log type.

  11. Click OK.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.