The Log Management tab in the Alert Logic® console provides access to configuration of log management policies, schedules, and alert rules.
A correlation policy allows you to create a new log message when Alert Logic log management collects a configured number of log message types during a configured time frame.
These can be filtered by parsed fields in the specified messages and then build a custom message as shown in the example below. Once created, you can then use these new messages to trigger alerts.
For more information, refer to our Correlation Policy help documentation.
Flat File Policies
Flat file log messages are a common log message format and can be collected, stored, and normalized similarly to Windows Eventlog messages and Syslog messages. Alert Logic log management collects a variety of log files, such as Windows Eventlog, Syslog, and text-based log messages. Text-based log messages are also known as flat file log messages.
The purpose of this policy is to specify where the log file is located and tells Alert Logic how to read the log file. This allows the messages to be received and parsed correctly.
For more information, refer to our Flat File Collection Policy help documentation.
Syslog is a way for network devices to send event messages to a logging server – usually known as a syslog server. A syslog policy lets you collect syslog files for Alert Logic log management to review. Syslog policies are used for defining the port that is listening for syslog traffic in both the agent and remote collector.
The policy is also used for defining how much data can be cached on the agent or collector if the connection to the Alert Logic cloud is lost or there is insufficient bandwidth for transmitting the received logs.
For more information, refer to our Log Manager Syslog Collection Policy help documentation.
Windows Eventlog Policies
Windows event log files track significant events on a Windows server, such as user login or a program error. A Windows event log policy lets you collect event log files for Alert Logic log management to review. Eventlog policies are used for determining what Eventlog streams are collected on Windows hosts. By default, the following are collected:
The policy can also be used to specify the credentials if it is not using an agent and collection scheduled is used on the source.
When configuring the Windows Eventlog policy using these procedures, you can filter the Eventlogs you want to send by selecting the desired streams under Alert and Collect on Selected Streams. This process can help prevent receiving unwanted logs in your email.
For more information, refer to our Windows Event Log Policy help documentation.
S3 collection policies set guidelines for collecting Amazon Simple Storage Service (S3) access logs, which provide details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. An S3 policy lets you collect S3 logs for Alert Logic log management to review.
Note: Although this feature appears to all users, this feature only works on AWS accounts.
An updates policy tells hosts when they are allowed to perform automatic updates to the Alert Logic software.
By default, Alert Logic assigns the Default Update Policy, which sends software updates as they become available to your hosts. If required, scheduled maintenance windows can be configured so the software will only check for updates during the specified period.
This page is the same across both Log and IDS as the same updates policies can be shared across all hosts.
For more information, refer to our Log Manager Updates Policy help documentation.
A credential is the information required for Alert Logic log management to authenticate itself to a log source in order to collect log data. The following types of credentials are stored on this page:
- Windows passwords
- Used for agentless Windows log collection
- IAM Roles
- Used for S3 bucket and CloudTrail log collection
- Used for Azure based log collection
In most scenarios, there is no requirement to create the credentials via this page as you are able to enter them during log source creation. This page's primary purpose is to update and delete existing credentials.
Credentials are only used for cloud-native collection and remote (appliance based) Windows Event Log and remote flat file collection.
You have the ability to set blackout periods when you do not want logs collected. For example, you could configure a source to only collect during business hours.
For more information, refer to our Log Manager Collection Schedules help documentation.
Collection Alert Rules
Alert Logic recommends you create Alert Rules for log management sources. These will notify you if we stop receiving log messages. Collection alert rules send you an email alert when Alert Logic does not receive log messages for a configurable time frame. These can be applied on an individual basis to any Log Sources.
For more information, refer to our Alert Rules help documentation.
Correlation Alert Rules
Correlation Rules will send an email notification when one of the specified message types is collected. The message type can be one of the thousands of built-in message types, such as Windows Login Failed or a message type defined in a user-configured correlation policy.
Note: These Alerts can also be created while creating a Correlation policy.
For more information, refer to our Correlation Alert Rules help documentation.