Filter LogRhythm Diagnostic Events
LogRhythm generates diagnostics logs and automatically stores these logs in the EventsDB. Administrators can configure their Data Processors to to filter out these logs and prevent them from being inserted into the EventsDB.
For each Data Processor in the environment:
Navigate to the Data Processor’s configuration file, scmedsvr.ini.
The default location for this file is C:\Program Files\LogRhythm\LogRhythm Mediator Server\config
Edit the file by appending the following to the configuration:
CODE[OPTIONAL] FilterEventIDs=To filter out diagnostic events, add the Common Event ID’s of the diagnostic events, comma separated, to the FilterEventIDs parameter. For example:
CODE[OPTIONAL] FilterEventIDs=-1100529,-1100445,-1000019
Note: Only negative values are accepted. Negative Common Event ID values are reserved for LogRhythm Diagnostic logs. To filter out other Common Events, use Global Log Processing Rules.
Common Diagnostic Logs
Below is a list of common diagnostic logs generated by the SIEM and their associated Common Event ID.
Diagnostic Log Common Event Name | Common Event ID |
|---|---|
LogRhythm MPE Rule Performing Poorly | -1100020 |
LogRhythm Agent Heartbeat Missed | -1100003 |
LogRhythm Silent Log Source Error | -1100006 |
LogRhythm Diagnostics Event | -1000001 |
LogRhythm Agent Log Source Open Failed | -1000075 |
LogRhythm Agent Failed Virtual Source Lookup | -1000374 |
LogRhythm Agent Failed To Obtain File Stats | -1000100 |
LogRhythm Agent Socket Connect Failure | -1000271 |
LogRhythm Silent Log Source Resumed | -1100007 |
LogRhythm Agent Syslogng Socket Option Failed | -1000425 |
LogRhythm Silent Log Source Warning | -1100005 |
LogRhythm Agent File Monitor Error | -1000085 |
LogRhythm Agent Log Collection Start | -1000087 |
LogRhythm Agent Heartbeat Resumed | -1100004 |
LogRhythm Agent Syslog Socket Bind Failure | -1000066 |
LogRhythm Message Storing | -1100505 |
LogRhythm Mediator Invalid Connection Closed | -1000307 |
LogRhythm Agent Bad Mediator Host | -1000171 |
LogRhythm Agent File Exceeds Size Hash Limit | -1000141 |
LogRhythm Mediator Invalid Protocol Msg Version | -1000172 |