Benefits of JSON Log Source Collection for LogRhythm Customers

Lumberjack JSON feed into LogRhythm SIEM

When it comes to log sources, LogRhythm recognizes there are limitless options. After all, more than 30,000 Softwares as a Service (SaaS) companies exist around the globe. While we can’t keep up with every SaaS tool in the market, LogRhythm is taking log source collection to the next level.

With the release of LogRhythm 7.17, we’ve opened our approach to make it easier than ever for analysts to get data into the security information and event management (SIEM) platform. LogRhythm SIEM introduced new Open Collection Architecture methods that let customers instantly send JSON data to the SIEM through third-party sources that use the Lumberjack protocol on the System Monitor. Along with the JSON listener, LogRhythm SIEM enables you to tailor out-of-the-box and custom normalization rules that are easy to create and manage without having to use RegEx.

Opening LogRhythm SIEM to Third Parties

This feature comes in response to customer requests for a better experience. If you’re an analyst, you can now collect important security logs from sources that LogRhythm hasn’t yet implemented collection for using third-party tools. This means there’s no wait time. LogRhythm no longer needs to release an official tool for analysts to collect the specific logs they want. For existing customers that are on an older instance of LogRhythm SIEM, this is a game-changer!

If you are already using LogRhythm Open Collector and System Monitor Agent for normalization, you can now easily customize and adjust the normalization rules tailoring the SIEM to your needs.

As illustrated in the graphic below, as logs come into the agent, they are normalized by rules created using the JSON rule builder and sent to the data processor to allow easy visualization in the Web Console.

Sample workflow of ingesting new JSON logs
Figure 1: This workflow shows how LogRhythm ingests new JSON logs that use the Lumberjack protocol in SysMon.

Simplify Customization with the JSON Policy Builder

As analysts know well, parsing data is often challenging and typically requires some knowledge of RegEx. With LogRhythm 7.17, we’ve simplified the process enabling you to send JSON logs into the System Monitor agent which can normalize the JSON message without RegEx.

LogRhythm also introduced a JSON Policy Builder, a web-based tool that lets you easily map JSON values to the LogRhythm schema and export the policy file to place in the System Monitor Agent’s custom policy without the need to know how to script or code anything!

To retain any custom normalization rules you build, the System Monitor Agent now features a folder to store files. This custom normalization policy folder enables customers and partners to safely store custom or modified normalization rules without risk of losing customizations, removing the concern about rules being overwritten or impacted during the upgrade process. Additionally, this folder ensures that any customizations done are evaluated first before any LogRhythm provided policies are considered.

Figure 1: Expand your log collection by bringing JSON log sources that support the Lumberjack protocol into LogRhythm SIEM.
Figure 2: Expand your log collection by bringing JSON log sources that support the Lumberjack protocol into LogRhythm SIEM.

Through the simple UI, LogRhythm automatically extracts the data, and you can map it to the LogRhythm schema. This GUI-based wizard offers a drop-down menu to help you. For example, if the log includes usernames, you can assign that field to the LogRhythm schema’s User (Origin) or User (Impacted) fields.


Figure 3: LogRhythm’s JSON Policy makes it easy to visually map JSON fields into LogRhythm’s schema.

Benefits of the JSON Policy Builder

For customers, the JSON Policy Builder offers the following benefits:

Analysts: You can create normalization rules that don’t require RegEx or other scripting languages, saving you time. Because creating custom Messaging Processor Engine (MPE) rules can be cumbersome, LogRhythm simplified the process when working with JSON logs. With this feature, you can spend less time ensuring log data is collected and properly parsed.

CISOs: For CISOs, you can get more value out of LogRhythm SIEM without the added costs of customizations. In addition, CISOs can leverage visualizations, data, insight, and reports based off third-party tools regardless of LogRhythm’s interaction with the product.

CFOs: This feature helps companies save money, an important benefit for CFOs. Users now can perform a task in minutes compared to what previously may have required several days of Professional Services time.

You can access the new JSON Policy Builder from the Resource Center to quickly build rules with the logs you see working in the Web Console. Once you collect these normalization policies, we encourage you to use a tool like GitHub to help you distribute the policies to all the agents to keep them in sync.

Upgrade to LogRhythm 7.17 Today!

Enjoy the newest features in LogRhythm SIEM with our latest version, LogRhythm 7.17! Existing customers can request a license here and download LogRhythm 7.17 from Community. Further details and documentation on LogRhythm SIEM enhancements are available in our Release Notes and the Knowledge Base.

For the latest features released in LogRhythm 7.17, check out my blog post from my colleague, Ryan Gamboa or register for the LogRhythm SIEM July 2024 Quarterly Launch webinar on July 17 at 11 a.m. ET to see feature demos in action!