Configure the Generic Beat for IronDefense
Prerequisites
- Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
The following port is open:
Direction
Port
Protocol
Source
Outbound 443 HTTPS Generic Beat
Initialize the Beat
To confirm the Open Collector is running, run the following command:
CODE./lrctl status
If the Open Collector is not running correctly, see Troubleshoot the Open Collector in the Open Collector Installation and User Guide.
You should see the open_collector and metrics versions.To start the Generic beat, run the following command:
CODE./lrctl genericbeat start
- Using the arrow keys, select New genericbeat instance.
Enter the unique beat identifier for this beat instance, and then press Enter.
Enter the log source name to be used for the configuration of this Generic beat instance, and then press Enter.
To parse for the IronNet log source, the log source name should be irondefense. Otherwise, IronNet parsing will not be available for this beat instance.
Using the arrow keys, select POST as the HTTP request method, and then press Enter.
Enter the Generic beat API URL for GetAlertNotifications, using the following format:
CODEhttps://<yourdomain>/IronApi/GetAlertNotifications
For example, https://yourdomain.irondev.io/IronApi/GetAlertNotifications.
- Using the arrow keys, select No Pagination as the pagination style, and then press Enter.
- Using the arrow keys, select No Filter as the filter type, and then press Enter.
- Using the arrow keys, select Header Based Authentication as the authentication method, and then press Enter.
- Enter Authorization as the auth header, and then press Enter.
- Create an auth token value by doing the following:
- Use your IronNet username and password in the Username:Password format.
Encode the Username:Password in Base64.
For more information on converting your username and password to Base64 format, see Mixed Analytics Basic Authentication.
- Add "Basic" before the encoded Base64 value.
For example, Basic bG9******GhtOj******c2lDU******iUiE=
- Enter this generated auth token value, and then press Enter.
- Using the arrow keys, select no for API sorting support, and then press Enter.
- Enter Content-Type:application/json as the request header other than authentication header, and then press 'c' to continue.
Enter limit:5 as the request body, and then press c to continue.
The limit is the number of records to be fetched.
- Enter the request parameters (other than start time and end time) in the key:value format, and then press 'c' to continue.
- To parse any specific field from the response (for example, if the API response contains logs in a specific field), select yes using the arrow keys and then press Enter.
- Enter alert_notifications as the field in which data will come in the API response, and then press Enter.
- Enter the polling period for the beat in seconds (for example, "30s"), and then press Enter.
- The Generic beat service is started for IronNet log parsing.
To check the status of the service, run the following command:
CODE./lctrl genericbeat status