A log source is a unique source of data that is collected from a host. Log source monitoring refers to the continuous and consistent monitoring of multiple logs that originate from various sources to determine what events are occurring in your systems. However, sometimes a log generation from the source systems stops when a potential issue is detected in your IT infrastructure.
Detecting and alerting users when a device stops sending logs to the monitoring tool is essential because it may indicate a failure or a security breach that needs to be addressed promptly.
Resolution Intelligence Cloud enables you to receive alerts when a log source stops sending data after a certain period of time, and it provides you with an interactive UI to configure rules and create alerts. Currently, Netenrich notifies you when a log source stops sending telemetry data for more than four hours.
To receive the alerts on time, you will need to set up the following configurations before setting up log source monitors.
Configuring a Log Source Monitor
Creator or Reviewer or Publisher from Domain, Organization, and Tenant can create log source monitors.
- Hover over icon at the top left corner or click icon at the top right corner
- Navigate to Configurations --> Chronicle CMS at the left nav-bar.
- Click Log Source Monitor icon.
- On the Log Source Monitor listing page, click +Add Log Source Monitor at the top right.
- Enter Title, and Description (mandatory) for Log Source Monitor.
- In Select Log Source by, select any one of the following.
- Type: denotes categories like Office365, Carbon Black EDR etc.
- Name: denotes specific names of log sources such as Cisco, Juniper firewalls etc.
You can select multiple types or multiple names from the dropdown lists.
7. In the Severity field, select any of the following.
8. In Alert me if no telemetry is received from the selected log source(s), select any option from the dropdown.
Note: Currently, Netenrich notifies you when a log source stops sending data for more than three hours from the last log activity time.
9. Click Save. It will be moved to the draft state.
10. Click Actions --> Publish to publish a rule. It will be moved to the Enabled state.
If it is failed, then it will be moved to the failed state. You can retry to change the failed state to the enabled state. Also, you can disable a rule which is in the enabled state.
Updating a Log Source Monitor
Creator or Publisher from Domain, Organization, and Tenant can update the log source monitors.
Note 1: a log source monitor is applicable to the draft, failed, enabled, and disabled states.
To update log source monitors,
- Navigate to Chronicle CMS from the left menu and click Log Source Monitors.
- Click the log source monitor that you would like to edit/update.
- Click Actions --> Update.
- Enter your significant changes.
The log source monitor is in the draft state before publishing it.
- Click Actions --> Publish
The log source monitor will be moved to the enabled state.
Note 2: Once you update and publish the log source monitor, the previous version will be disabled, and the updated one will be enabled.
Finding Log Source Monitors
The free text search filters the log source monitors by text in the title field. There is no Search button.
Sorting Log Source Monitors
The log source monitor page lists all log source monitors (Enabled, Disabled, and Draft) in the listing page after creating or publishing them. You can sort them based on the following list of options.
|Last Modified On||Date and Time of last change to a log source monitor|
|Title||Title of a log source monitor that you have given while creating|
|Most Used||Frequently used log source monitor|
|Created On||Date and Time on which a log source monitor is created for the first time|
|Name||Name of a log source monitor that is generated automatically after creating it|
|Severity||Assigned level of importance (i.e High, Medium, and Low). Higher levels appear on top of the listing page.|
|Company Name||Name of a company that created and published a log source monitor.|
|Company Type||Type of a company that created and published a log source monitor.|
|Owner Company||A company at which a log source monitor is created and published initially. For example, if a log source monitor is created and published at the platform account, then the platform is the owner.|
|Status||The current state of a log source monitor (Enabled, Disabled, and Draft).|
To rearrange log source monitors in descending or ascending order, click or .