Configure LogRhythm CloudAI as a LogSource

CloudAI is now named LogRhythm UEBA.

However, both names are referenced in our documentation. While the product name is now LogRhythm UEBA, the user interface (UI) continues to reference CloudAI.

To make the CloudAI output logs visible in the LogRhythm SIEM, the LogRhythm Client Console needs to be configured to accept CloudAI log sources.

If you are using multiple DX in your SIEM environment make sure you set up LogRhythm CloudAI as a LogSource (LogSourceTypeName = "LogRhythm CloudAI") in all of your DX otherwise you may miss some LogRhythm UEBA output logs.

To configure a CloudAI log source:

1. Log in to the LogRhythm Client Console as a Global Administrator.
2. On the main toolbar, click Deployment Manager.
3. Click the System Monitors tab.
4. Double-click an Agent that can access the Data Indexer log files, such as an Agent on the Data Indexer.
   The System Monitor Agent Properties dialog box appears.
5. Right-click the grid on the bottom of the dialog box, and then click New.
   The Log Message Source Properties dialog box appears.
6. Complete the following tabs:
   • Basic Configuration
     • In the Log Message Source Type Field, add LogRhythm CloudAI.
     • In the Log Message Processing Engine (MPE) Policy Field, select LogRhythm Default.
   • Additional Settings
     • Select the Start collection from the beginning of the log check box.
   • Flat File Settings
     • In the File Path field, type one of the following, depending on your operating system:
       • Windows. C:\Program Files\LogRhythm\Data Indexer\logs\anomaly.log
       • Linux. /var/log/persistent/anomaly.log
     • In the Date Parsing Format field, select LR UEBA EventTime. 
7. To save the new log source, click OK.

For more information on configuring new log sources, see Log Sources.