Work with Existing AI Engine Rules
- On the main toolbar, click Deployment Manager.
- Click the AI Engine tab.
- On the bottom of the grid, click the Rules tab.
- On the Rules toolbar, click Action.
Select one of the actions shown in the following table. The action will be applied to all rules that have the Action check box selected.
Option Description Enable A confirmation prompt displays the number of rules that will be enabled.
Allows a rule to be processed and generate alarms and events when appropriate. The Rule Status and Server status column are updated where applicable.
To enable a retired rule, click Activate, and then Enable.
Disable A confirmation prompt displays the number of rules to be disabled.
Prevents a rule from being processed. Flushes all state data for the rule from memory.
Pause A confirmation prompt displays the number of rules that will be paused.
Prevents a rule from generating new Events, but continues to maintain all state data for the rule.
Activate A confirmation prompt displays the number of rules to be activated.
Takes a rule out of retirement with an initial status of disabled.
Retire A confirmation prompt displays the number of rules to be retired.
Prevents a rule from being processed and removes it from the grid. Retired rules are not deleted because they may contain history, alarms, or events that require the rule to exist.
To view retired rules in the grid, right-click the grid, click View, and then click Retired AI Engine Rules from the menu.
To remove a rule from a retired state, click Activate.
Import Opens the Import window, which allows you to import AI Engine Rules from a selected file into the database. Respond to the confirmation prompt for each file. To avoid clicking No for each file, click Cancel on the prompt.
A progress bar appears at the bottom of the window during the import. Click Close to cancel the import.
Export Exports rules to files with a system generated file name in the following format:
AIERule_0000000001_yyyyMMdd.airx
where 0000000001 is the rule ID. If the file name already exists, you are prompted to confirm overwriting it.
The grid and toolbar are disabled while rules are exported.
A progress bar appears at the bottom of the window during the export. To cancel the export, click Close.
Disable Data Segregation Disables Entity-based Data Segregation.
Enable Log Source Entity Data Segregation Enables Entity-based Data Segregation.
Only the Log Source Entity or the Log Source Root Entity can be enabled at one time.
Enable Log Source Root Entity Data Segregation Enables Root Entity-based Data Segregation.
Only the Log Source Entity or the Log Source Root Entity can be enabled at one time.
Assign Rule Set Displays the Rule Set Selector to allow you to assign the rule to a Rule Set.
Assign Group Opens the AI Engine Rule Group Assignment window to allow you to assign a rule to a new or existing group.
You can organize rules into groups to sort and filter them in the Rule Manager. The group name can be a maximum of 50 characters long.
Batch Notification Editor Opens the Alarm Rule Batch Notification Editor to allow you to configure notification properties for multiple rules at the same time.
Edits to AI Engine batch notifications do not take effect until the AI Engine servers have been restarted.
Batch Enable Alarms Enables or disables the alarms associated with the selected rules.
Alarms for retired rules cannot be enabled.
Batch Enable Automatic Drilldown Enables or disables automatic drilldown on the selected rules. The automatic drill-down state is changed regardless of alarm status; however, the automatic drilldown will not work unless alarming is enabled.
If the AIE Drill Down Cache is disabled in the LogRhythm Configuration Manager, automatic drill down does not work, even if you opted to enable it here. For more information, see Install a New LogRhythm Deployment.
The AIE Automatic Drilldown feature populates information in the AIE Summary Fields within the web console. This feature currently has a 60 second timeout period, after which, if the logs have not yet been collected, the AIE Summary Field appears as blank.
The Automatic Drilldown feature is intended to contextualize critical alarms as opposed to being used for all alarms. LogRhythm cannot guarantee a 100% success rate when attempting to use the Automatic Drilldown feature for all alarms.