Model Library

Each use case relies on a trained model. When you create a new use case, the selected algorithm builds and trains a model from your data. Models can serve a single use case or be saved to the library for reuse across multiple use cases. Models can also be exported and imported between Energy Logserver instances.

Realtime Manager

Models from the library can run in realtime. Click the clock icon to create a new Network Probe pipeline for the model. A model trained on one dataset can be reused on another — field names in the realtime stream may differ from those used during training. Use the Mapping section to map the original model fields to the fields available in the realtime data stream.

Default AI Rules

Default Rules automatically deploy a set of rules for the syslog index at startup, enabling users to quickly start analyzing data.

Default rules are loaded automatically on every service start. They are grouped by data source:

Syslog (syslog-*):

  • Syslog Forecast network.bytes

  • Syslog Forecast network.ttl

  • Syslog Forecast postfix_delay

  • Syslog Forecast postfix_delay_transmission

  • Syslog Forecast postfix_size

  • Syslog Forecast document count

  • Syslog Text Anomaly syslog_message

  • Syslog Univariate network.bytes

  • Syslog Univariate network.ttl

  • Syslog Univariate postfix_delay

  • Syslog Univariate postfix_delay_transmission

  • Syslog Univariate postfix_size

  • Syslog Univariate document count

  • Syslog Clustering message

Windows / Wazuh:

  • Windows Winlogbeat Text Anomaly message (windows-winlogbeat-*)

  • Wazuh Text Anomaly full_log (wazuh-alerts-*)

  • Wazuh Text Anomaly data.win.eventdata.data (wazuh-alerts-*)

HTTPD (httpd-*):

  • HTTPD Clustering message

UBA (uba*):

  • [UBA] (D)DoS Probability (Multivariate)

  • [UBA] APT Probability (Multivariate)

  • [UBA] Ransomware Probability (Multivariate)

  • [UBA] All Events Probability (Multivariate)

  • [UBA] Logon Anomaly (Univariate)

  • [UBA] Services Installation Anomaly (Multivariate)

Barracuda (barracuda-*):

  • [Barracuda] Firewall Received Bytes Anomaly (Univariate)

  • [Barracuda] Firewall Sent Bytes Anomaly (Univariate)

AI Store

The AI Store allows you to download an AI Use Case that matches your index patterns and upload it to your own infrastructure. A short description of each model is available in the drop-down list.

AI Use Case models can be accessed through the Energy Logserver webpage and the Energy Logserver app in the AI Cases => Online Store section.

To upload the selected model through webpage, follow the steps below:

  1. Download the model you are interested in.

  2. Open the Energy Logserver app and navigate to the Use Cases tab.

  3. Click Upload New Model and select the downloaded model from the file explorer.

  4. Press Save & Run to start the model.

To upload the selected model via the Energy Logserver app, follow the steps below:

  1. Navigate to Use Cases => Store tab.

  2. Select the model that you are intrested in and press Fetch button.

  3. Press Save & Run to start the model.