Skip to main content
Skip table of contents

Modify Event Settings

Only Global Admins and Restricted Admins with elevated View and Manage privileges can take this action.

Event settings determine whether a log message is considered an event. The Client Console provides a convenient method of modifying Event settings for those with Global Admin credentials. This feature is available from Investigate and Tail output views and the Personal Dashboard Aggregate Event List.

For an alert to be generated, the Event settings for a log message must be configured to forward the message information as an event. Default event settings are applied to all supported log sources. However, it is highly recommended to disable event forwarding for log messages that are not of interest or where no alerting is necessary. For Default settings see Log Message Classifications.

  1. Access logs from one of the following:
    • Personal Dashboard
      • Aggregate Event List
    • Investigator
      • Log/Event Analyzer - Aggregate Log/Event List
      • Log Viewer
    • Tail
      • Aggregate Log/Event List
      • Log/Event List
  2. Right-click the row that displays the log message and select Edit Event Settings.
    The Edit Policy Event Settings window appears showing the associated Common Event of the selected log message. It also shows all MPE Rules that are linked to the Common Event and are currently assigned to a Log Processing Policy.

    Diagnostic events (internal LogRhythm System Events) cannot be modified. You receive an error message that indicate the operation is not applicable if you try to do so.

  3. Modify any of the following:
    • Forward. If checked, log messages matching the rule are transformed (report fields are parsed) and forwarded to the Platform Manager as an event.
    • Common Event Risk Rating. The risk the event poses on a 0 - lowest risk to 10 - highest risk scale.
    • Common Event False Alarm Rating. The likelihood the event might be a false alarm on a scale of 0 - never to 10 - very likely.

Editing any settings applies only to that particular rule, not any parent rules or settings, and is equivalent to modifying the override settings within a Log Processing Policy.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.