Skip to main content
Skip table of contents

Configure a Device for a Custom OC Pipeline

Any time you create a custom Open Collector Pipeline, you need to configure the device that will send the logs to LogRhythm.  For example, in order to bring in Microsoft Windows logs in via Open Collector, the Winlogbeat can be employed. This guide covers basic setup of the device. Additional information can be found in Elastic's Getting Started with Winlogbeat.

LogRhythm Customer Support cannot assist with configuring devices. For assistance, refer to the documentation provided by the company of the Beat you plan to use.

  1. From the Elastic website, download and unzip Winlogbeat.
  2. Open the winlogbeat.yml configuration file. 

    There are many available parameters, but this guide only highlights the most important ones. For a full list of configuration reference documents, visit https://www.elastic.co/guide/en/beats/winlogbeat/index.html.

  3. In the Winlogbeat specific options section, ensure the information for your system is correct.

    CODE
    #======================= Winlogbeat specific options ===========================
    winlogbeat.event_logs:
     - name: Application
       ignore_older: 72h
    - name: System
    - name: Security
      processors:
        - script:
            lang: javascript
              id: security
            file: ${path.home}/module/security/config/winlogbeat-security.js
    - name: Microsoft-Windows-Sysmon/Operational
      processors:
        - script:
            lang: javascript
              id: sysmon
            file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
  4. In the Logstash output section, update the hosts: parameter to include the port assignment for 5044. This allows data to be forwarded from the Beat to the Open Collector.

    CODE
    #----------------------------- Logstash output --------------------------------
    output.logstash:
     # The Logstash hosts
     hosts: ["XX.X.X.XXX:5044"]
  5. Comment out the Elasticsearch output section.  This output is not in use. If you do not comment this out, the Beat will generate errors about not being able to communicate with Elastic Search.

    CODE
    #-------------------------- Elasticsearch output ------------------------------
    #output.elasticsearch:
     # Array of hosts to connect to.
     #hosts: ["localhost:9200"]
  6. (Optional) You can un-comment the Logging section and its parameters and configure the logging levels to fit your needs. 

    CODE
    #================================ Logging =====================================
    # Sets log level. The default log level is info.
    # Available log levels are: error, warning, info, debug
    #logging.level: debug
  7. (Optional) Enable the output.file functionality. This sends the JSON logs (one per line) to a file, which can be very useful for analysis prior to building your custom pipeline. It helps to determine what fields are available. Full options for this can be found at https://www.elastic.co/guide/en/beats/winlogbeat/master/file-output.html.

    CODE
    output.file:
      path: "/tmp/winlogbeat"
      filename: winlogbeat
      #rotate_every_kb: 10000
      #number_of_files: 7
      #permissions: 0600
  8. Open PowerShell and run the Beat: 
    winlogbeat.exe -c winlogbeat.yml
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.