Configure the Gmail Message Tracking Beat Log Source in the SIEM

Prerequisites

This step explains how to configure the Syslog Relay. The Open Collector needs Syslog Relay for the following reasons:

By default, the agent timestamps syslog messages as they come in. The timestamp in the SIEM should reflect when the log was generated, not when the agent received this log.
An additional Syslog Relay Regular Expression is required to correctly extract the timestamp.

To configure Syslog Relay:

Click the System Monitors tab.
Double-click the agent to which you will send the Open Collector syslog.
Click the Syslog and Flow Settings tab.
Select the Enable Syslog Server check box, if it is not already selected.
Type the Open Collector IP Address in the Syslog Relay Hosts field on the left.
Type the following regular expression as the first line in Syslog Relay Regular Expressions.
^<(?<priority>\d{1,3})>\s*(?<message>(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})T(?<hour>\d{2}):(?<minute>\d{2}):(?<seconds>\d{2})(\.(?<ms>\d+))?Z?[-+]?[0-9:]{0,}\s.*)
Click OK.
Here is an example of a configured Syslog Relay. The Open Collector IP address is 10.3.0.1.

After Open Collector logs are sent to the Windows System Monitor Agent, you need to accept the pending log source.

Click the Log Sources tab.
In the New Log Sources grid, select the Action check boxes for the following:
- Log Source Type. Syslog - Open Collector
  
  Do not select the Gmail Message Tracking-specific log source types yet. You will do that in a later step.
- Log Processing Policy. LogRhythm Default
Right-click the selection, click Actions, and then click Accept.
Select one of the following:
- Click Customize and change the following as needed:
  - Collection System Monitor Entity
  - Log Message Processing Settings
  - Log Data Management and Processing Settings
  - Silent Log Message Source Settings
- Click Default to select customized defaults that were previously selected.
- Select a default batch amount between 100 and 5000.
Click OK.
To see the newly accepted Log Source in the grid, click Refresh.

Use the Log Source Virtualization template included in the KB to create a log source specifically for Gmail Message Tracking logs.

Double-click to open the newly accepted Open Collector Log Source.
The Log Message Source Properties window appears.
Click the Log Source Virtualization tab.
Select the Enable Virtualization check box.
Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears.
In the Log Source Virtualization Template menu, select Open Collector - Gmail Message Tracking.
Click Save.
The confirmation prompt appears.
Click OK.
New Log Sources appear in the grid as children of your parent log source.

Use the Log Source Virtualization template included in the KB to create a log source specifically for Gmail Message Tracking heartbeat logs.

Double-click the newly accepted Open Collector Log Source.
The Log Message Source Properties window appears.
Click the Log Source Virtualization tab.
Select the Enable Virtualization check box.
Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears.
In the Log Source Virtualization Template menu, select Open Collector - GMTBeat Heartbeat.
Click Save.
The confirmation prompt appears.
Click OK.
New Log Sources appear in the grid as children of your parent log source.

Silent Log Source Detection indicates when one of your log sources has stopped reporting logs.

Double-click a child log source—for example, Syslog - Open Collector - Gmail Message Tracking.
The Virtual Log Message Source Properties window appears.
Click the Additional Settings tab.
Select the Enable Silent Log Source Detection check box.
Select Warning and Error intervals. LogRhythm recommends Warning in 1 hour and Error in 2 hours.
Click OK.
Click the Alarm Rules tab.
Search for LogRhythm Silent Log Source Error and ensure the value in the Status column is Enabled.