Configure Open Collector Connection to the SIEM (WebUI)

LogRhythm version 7.14 introduced Open Collector and SIEM integration, allowing users to view and manage Open Collector and Beats from the web console. After updating the SIEM to 7.14 (or later) and the Open Collector to the latest version, the Long-Running LRCTL service must be configured and initialized. This service runs in the background on the Open Collector and manages the configurations applied in the LogRhythm Web Console.

This guide will take you through configuring the Long-Running LRCTL service for the first time.

The following Beats are available to configure in the Web Console:

• AWS S3

• Azure Event Hub

• Carbon Black Cloud

• Cisco AMP

• Darktrace

• Duo Authentication Security

• GMT

• GSuite

• Microsoft Graph API

• Okta

• Prisma Cloud

• Proofpoint

• PubSub

• Qualys FIM

• Sophos Central

• Symantec WSS

New Open Collector Setup

Initialize Long-Running LRCTL

To initialize long-running LRCTL, perform the following steps:

1. Run the following command:

   CODE

   ./lrctl lrctl start

2. Enter an Entity ID, then press Enter.
   When registering with the SIEM, this will be the Entity where the Open Collector host is created. If uncertain, it is recommended to use a value of “1”.

   1. To find the Entity ID, from the Client Console, go to the Deployment Manager and select the Entity tab.

   2. Right-click on the Parent or Child Entity from the tree on the left and select Properties.

   3. The Entity ID can be found at the bottom of the properties window.

3. Enter the hostname or IP address of the Platform Manager (PM), then press Enter.

4. Enter a unique name to identify this Open Collector instance, then press Enter.

5. Generate an API token using the steps outlined at Register Third-Party Applications to Use the API, and enter the token here.

After pasting the API key into the Open Collector command line, it will be printed several times. This is expected. When the output has completed updating, continue to the next step.

6. Press Enter to start Long-Running LRCTL.

7. (Optional.) To stop the Long-Running LRCTL instance, run the following command:

./lrctl lrctl Stop

Validate Registration with the SIEM

After initialization, the Long-Running service will communicate with the Admin API to register itself with the SIEM. An Entity record and an Open Collector record will be automatically created. Use the following steps to validate the successful integration with the SIEM:

1. Log in to the Web Console as an administrator.

2. Click Administration, and then Log Collection.

3. Click Open Collectors.

4. In the grid, validate that the new Open Collector host is present.

After validating the presence of the Open Collector host, you can manage the Open Collector and Beats in the Web Console. For more details, see Log Collection in Web Console.

Existing Open Collector Setup

This section will guide you through configuring a connection between an existing Open Collector and the SIEM.

Update the Open Collector Entity Record

Existing Open Collectors will have an entity host record already. When the Open Collector checks into the SIEM for the first time, this host record must be named accurately so that it can be properly associated with the Open Collector.

1. To retrieve the hostname of your Open Collector, run the following command and take note of the response:

   BASH

   hostname --all-fqdns | cut -f1 -d' '

2. From the Client Console, go to the Deployment Manager and select the Entity tab.

3. Locate your Open Collector’s host record and double-click on it to open the properties window.

4. Update the Name of the Open Collector to match the host name retrieved in step one.

Initialize Long-Running LRCTL

1. From the Open Collector, start the Long-Running LRCTL service using the following command:

   CODE

   ./lrctl lrctl start

2. Enter the Entity ID.

   1. To find Entity ID, from the Client Console, go to the Deployment Manager and select the Entity tab.

   2. Right-click on the Parent or Child Entity from the tree on the left and select Properties.

   3. The Entity ID can be found at the bottom of the properties window.

3. Enter the hostname or IP address of the Platform Manager (PM), then press Enter.

4. Enter a unique name to identify this Open Collector instance, then press Enter.

5. Generate an API token using the steps outlined at Register Third-Party Applications to Use the API, and enter the token here.

After pasting the API key into the Open Collector command line, it will be printed several times. This is expected. When the output has completed updating, continue to the next step.

6. Press Enter to start Long-Running LRCTL.

Validate Registration with the SIEM

After initialization, the Long-Running service will communicate with the Admin API to register itself with the SIEM. An Entity record and an Open Collector record will be automatically created. Use the following steps to validate the successful integration with the SIEM:

1. Log in to the Web Console as an administrator.

2. Click Administration, and then Log Collection.

3. Click Open Collectors.

4. In the grid, validate that the new Open Collector host is present.

After validating the presence of the Open Collector host, you can manage the Open Collector and Beats in the Web Console. For more details, see Log Collection in Web Console.

Migrating Existing Beats and Log Sources

To fully take advantage of the Open Collector integration with the SIEM, Beats and log sources must be retired and recreated from the Web Console. This step is not required, and Beats and log sources will continue to collect if not migrated. However, administrative functionality in the Web Console will not be available.

Updating the Long-Running LRCTL Configuration

To update the Entity, Platform Manager, and API key configuration of the Long-Running LRCTL service, run the following command.

./lrctl lrctl config edit

Troubleshooting

To view Long-running LRCTL logs, run the following command:

docker logs -f lrctl_svc