Benefits of JSON Log Source Collection for LogRhythm SIEM Users

When it comes to log sources, we recognize there are limitless options. After all, more than 30,000 Softwares as a Service (SaaS) companies exist around the globe. While we can’t keep up with every SaaS tool in the market, Exabeam is taking log source collection to the next level.

With the release of LogRhythm SIEM 7.17, we’ve opened our approach to make it easier than ever for analysts to get data into the self-hosted security information and event management (SIEM) platform. LogRhythm SIEM introduced new Open Collection Architecture methods that let customers instantly send JSON data to the SIEM through third-party sources that use the Lumberjack protocol on the System Monitor. Along with the JSON listener, LogRhythm SIEM enables you to tailor out-of-the-box and custom normalization rules that are easy to create and manage without having to use RegEx.

Opening LogRhythm SIEM to Third Parties

This feature comes in response to customer requests for a better experience. If you’re an analyst, you can now collect important security logs from sources that we have not yet implemented collection for using third-party tools. This means there’s no wait time. We no longer needs to release an official tool for analysts to collect the specific logs they want. For existing customers that are on an older instance of LogRhythm SIEM, this is a game-changer!

If you are already using Open Collector and System Monitor Agent for normalization, you can now easily customize and adjust the normalization rules tailoring the SIEM to your needs.

As illustrated in the graphic below, as logs come into the agent, they are normalized by rules created using the JSON rule builder and sent to the data processor to allow easy visualization in the Web Console.

Simplify Customization with the JSON Policy Builder

As analysts know well, parsing data is often challenging and typically requires some knowledge of RegEx. With LogRhythm SIEM 7.17, we’ve simplified the process enabling you to send JSON logs into the System Monitor agent which can normalize the JSON message without RegEx.

We also introduced a JSON Policy Builder, a web-based tool that lets you easily map JSON values to the schema and export the policy file to place in the System Monitor Agent’s custom policy without the need to know how to script or code anything!

To retain any custom normalization rules you build, the System Monitor Agent now features a folder to store files. This custom normalization policy folder enables customers and partners to safely store custom or modified normalization rules without risk of losing customizations, removing the concern about rules being overwritten or impacted during the upgrade process. Additionally, this folder ensures that any customizations done are evaluated first before any provided policies are considered.

Through the simple UI, LogRhythm SIEM automatically extracts the data, and you can map it to the schema. This GUI-based wizard offers a drop-down menu to help you. For example, if the log includes usernames, you can assign that field to the schema’s User (Origin) or User (Impacted) fields.

Benefits of the JSON Policy Builder

For customers, the JSON Policy Builder offers the following benefits:

Analysts: You can create normalization rules that don’t require RegEx or other scripting languages, saving you time. Because creating custom Messaging Processor Engine (MPE) rules can be cumbersome, LogRhythm simplified the process when working with JSON logs. With this feature, you can spend less time ensuring log data is collected and properly parsed.

CISOs: For CISOs, you can get more value out of LogRhythm SIEM without the added costs of customizations. In addition, CISOs can leverage visualizations, data, insight, and reports based off third-party tools regardless of LogRhythm’s interaction with the product.

CFOs: This feature helps companies save money, an important benefit for CFOs. Users now can perform a task in minutes compared to what previously may have required several days of Professional Services time.

You can access the new JSON Policy Builder from the Resource Center to quickly build rules with the logs you see working in the Web Console. Once you collect these normalization policies, we encourage you to use a tool like GitHub to help you distribute the policies to all the agents to keep them in sync.

Upgrade to LogRhythm SIEM 7.17 Today!

Enjoy the newest features in LogRhythm SIEM with our latest version 7.17! Existing customers can and download LogRhythm SIEM 7.17 from Community. Further details and documentation on LogRhythm SIEM enhancements are available in our Release Notes and the Knowledge Base.