Configure Beats for JSON Parsing
By default, the Open Collector uses the JQ scripting language to process logs and send them to data processors or hosts, which can sometimes require multiple Open Collectors to retrieve all of the necessary log data. However, Beats can also be configured to use a JSON parsing engine on a System Monitor for log processing, which improves processing performance, allows for more logs to be processed through a single Open Collector, and creates a simpler administrative workflow.
Every Beat configuration now includes the option to enter a System Monitor's hostname or IP address and a port that can be used to bypass the JQ-based parsing engine and use the new JSON parsing engine instead.
Prerequisites
This feature is available for customers who have upgraded to LogRhythm SIEM version 7.13 with System Monitor version 7.13.
Existing Beats are not required to be upgraded to the new JSON parsing method.
- System Monitor running on Windows 64-bit with a minimum of 8 CPUs and 16GB RAM.
- Ensure TCP port 5044 is open between the Open Collector and System Monitor hosts.
Enable JSON Parsing on System Monitor Agents
In order for an Open Collector to send JSON parsing directly to a System Monitor, that System Monitor must first have JSON Parsing enabled.
Enable JSON Parsing for a New System Monitor Agent
To create a new System Monitor with JSON parsing enabled, from the Client Console:
- On the main toolbar, click Deployment Manager.
- Click the System Monitors tab.
- On the File menu, click New.
The System Monitor Agent Properties window appears, and the Agent Settings tab is selected. - Configure the System Monitor's basic or advanced properties as desired.
- On the Syslog and Flow Settings tab, check Enable Syslog Server and then check Enable Json Parsing.
In the Syslog Relay Regular Expressions box, add the following regular expression to the top:
CODE<(?<priority>\d{1,3})>\s*(?<month>\d{2})\/(?<day>\d{2})\/(?<year>\d{4})\s(?<hour>\d{2}):(?<minute>\d{2}):(?<seconds>\d{2})\s(?<message>.*)- When you are finished, click OK.
Enable JSON Parsing for an Existing System Monitor Agent
To modify the properties of an existing System Monitor to enable JSON parsing, from the Client Console:
- On the main toolbar of the Client Console, click Deployment Manager.
- Click the System Monitors tab.
- Select a System Monitor to modify.
You can use the filters at the top of grid to search for a System Monitor. - Double-click the System Monitor you want.
The System Monitor Agent Properties window appears. - Click the Syslog and Flow Settings tab.
- Check Enable Syslog Server and then check Enable Json Parsing.
In the Syslog Relay Regular Expressions box, add the following regular expression to the top:
CODE<(?<priority>\d{1,3})>\s*(?<month>\d{2})\/(?<day>\d{2})\/(?<year>\d{4})\s(?<hour>\d{2}):(?<minute>\d{2}):(?<seconds>\d{2})\s(?<message>.*)When you are finished, click OK.
You cannot change the entity to which a System Monitor belongs. For information on what to do in this case, see Connect System Monitor Agents to Different Entities.
Enable JSON Parsing During Configuration of a New Beat
Once the System Monitor Agent has JSON parsing enabled, the Beat can be configured to send logs directly to that agent.
To enable JSON parsing for a Beat:
Follow Beat configuration guides as normal to complete the Beat configuration and log source setup in the client console.
Refer to the table in the Beat Initialization Guides Reference section below to find the configuration guides for each Open Collector Beat.- During the initialization steps, provide the Hostname or IP address of the System Monitor, and then press Enter.
This should be the hostname or IP address of the System Monitor Agent configured in the previous section. - Enter the port number for data collection.
By default, the port is 5044. Continue initializing the beat as normal.
Reconfigure an Existing Beat to Use the JSON Parsing Engine on a System Monitor
To repoint an existing Beat from the JQ engine on an Open Collector to the JSON engine on a System Monitor, update the Beat configuration using the steps below. After rerouting an existing Beat to the System Monitor's JSON engine, logs will continue to be parsed and associated with the existing log source in the SIEM.
First, ensure that your System Monitor agent has been configured for JSON parsing using the Enable JSON Parsing on System Monitor Agents section.
From the Open Collector host running the Beat you wish to update:
Run the following command to view the current Beat configuration.
CODE./lrctl [Beat Service Name] config viewFor example:
CODE./lrctl oktabeat config viewSelect the Beat to be reconfigured using the arrow keys, and press Enter.
Note the Beat configuration.
Run the following command to edit the Beat configuration:
CODE./lrctl [Beat Service Name] config editFor example:
CODE./lrctl oktabeat config editSelect the Beat to be reconfigured using the arrow keys, and then press Enter.
Confirm and re-enter previously configured settings such as the unique identifier, domain, API key, etc. until asked for the hostname or IP address of the Open Collector.
The configuration settings vary from Beat to Beat. Refer to the Supported Beats and Initialization Guides Reference to find the initialization steps for your Beat.
Enter the hostname or IP address of the System Monitor agent configured in the Enable JSON Parsing on System Monitor Agents section and press Enter.
- Enter the port number for data collection and press Enter.
By default, the port is 5044. Restart the Beat.
CODE./lrctl [Beat Service Name] restartFor example:
CODE./lrctl oktabeat restartOnce the beat has restarted, to verify the changes, view the configuration using the following command:
CODE./lrctl [Beat Service Name] config viewFor example:
CODE./lrctl oktabeat config view
Supported Beats and Initialization Guides Reference
Refer to the table below to find the list of beats that currently support JSON parsing, as well as the initialization guides for those beats.
| Beat | Configuration Guide |
|---|---|
| AWS S3 Beat | Initialize the AWS S3 Beat |
| Azure Event Hubs Beat | |
| Carbon Black Cloud Beat | Initialize the Carbon Black Cloud Beat |
| Cisco AMP Beat | Initialize the Cisco AMP Beat |
| Darktrace Beat | Initialize the Darktrace Beat |
| Duo Authentication Security Beat | Initialize the Duo Beat |
| Generic Beat | Initialize the Generic Beat |
| Gmail Message Tracking Beat | Initialize the Gmail Message Tracking Beat |
| GSuite Beat | Initialize the GSuite Beat |
| Kafka Beat | Initialize the Kafka Beat |
| MS Graph API Beat | Initialize the Microsoft Graph API Beat |
| Okta Beat | Initialize the Okta Beat |
| Prisma Cloud Beat | Initialize the Prisma Cloud Beat |
| Proofpoint Beat | Initialize the Proofpoint Beat |
| PubSub Beat | Initialize the PubSub Beat |
| Qualys FIM Beat | Initialize the Qualys FIM Beat |
| Salesforce Beat | Initialize the Salesforce Beat |
| Sophos Central Beat | Initialize the Sophos Central Beat |
| Symantec WSS Beat | Initialize the Symantec WSS Beat |
| Webhook Beat | Configure Webhook |