Manage Log Source Policies
The log source policy details table provides options to view log sources, edit policy settings, and enable or disable the policy for each of the configured policy.
View Log Source Policies
The Log Sources page displays a list of log source policies that you create along with the details such as policy name, status, date of creation, number of silent log sources, and number of total log sources. You can view log sources for a particular policy, use filters for each column, edit the policy settings, and enable or disable the configured policy.
Refer to the following description for each column.
Column | Description |
|---|---|
LOG SOURCE POLICY | Displays the name of the log source policy that you created with brief summary of specified conditions. |
STATUS | Displays the status of the log source policy - Enabled or Disabled. |
DATE CREATED | Displays the date and time on which you created the log source policy. |
# SILIENT LOG SOURCES | Displays the number of silent log sources. |
# LOG SOURCES | Displays the total number of log sources. |
Note
A log source must match only one policy. If multiple policies have overlapping log sources, the log source is assigned to the policy that was created first.
View Log Sources
Use the following steps to view details of log sources that belong to the policy.
To view details of a particular log source policy, navigate to a log policy and click options menu (:).
Click View Log Sources to view more information about the log sources.
Log sources that belong to the log source policy are displayed on a new page in a table along with an option to export the log source details to CSV. For more information, see Export Log Sources.
The following table displays description for each column of the Log Sources table.
Column
Description
PRODUCT
Displays the product that belongs to the vendor in your configured log source policy.
HOST
Displays the host name on which the product is installed.
STATUS
Displays the status of the log sources. For example, Silent.
LAST SEEN
Displays the time and date when the log source data was last ingested. Based on the log source policy configuration the log source is marked as silent if it remains inactive for a certain period.
Edit Policy Setting
If you want to edit the policy conditions, or a log source identifier, use the Edit Policy Setting option. However, for optimal performance, it is recommended that instead of editing the existing policy, you create a new log source policy with your preferred settings and delete the old one.
To view details of a particular log source policy, click Options menu (:).
Click Edit Policy Setting to view more information about the log sources and edit the conditions.
In the Edit Policy dialog box, you can edit only the Policy name, and Silent Notification Preferences fields.
Enable or Disable the Policy
When you create a log source policy, it is set to enabled mode by default. When the policy is in the enabled state the log sources are monitored for their active or inactive state. If you mark the log source policy as disabled, the log source will not be monitored for any other new logs which are getting ingested.
To disable a policy, navigate to a specific log source policy row and click the Option menu (:).
In the Disable Log Source Policy confirmation box, click Disable.
Monitoring for log sources in this policy are stopped and the policy shows a status as Disabled.
If you want to re-enable the policy, click the Options menu (:), and select Enable.
Note
You can delete only disabled log source policies.