Configure the Webhook Beat Log Source in the SIEM
This section provides instructions for configuring the Webhook log source in the LogRhythm SIEM using the log source virtualization template.
The Open Collector sends the output of every Beat to the Agent in a single syslog stream. The parent log source is a generic type: Syslog - Open Collector. A log source virtualization template included with the LogRhythm Knowledge Base (KB) creates child log sources for each beat.
Prerequisites
- LogRhythm Client Console
- LogRhythm Administrator Account
Open the following port:
Direction
Port
Protocol
Source
Outbound 443 HTTPS webhookbeat - Download the lastest KB .lkb file:
- From a computer with Internet access, log on to the LogRhythm Community.
- On the menu at the top of the screen, select Documentation & Downloads.
- Got to KB tab, and then select Request KB File.
- Enter the correct License ID, Deployment ID and
Step1: Import the Knowledge Base
To import the latest downloaded KB:
In the Client Console, from the Tools menu, select Knowledge, and then select Knowledge Base Manager.
The Deployment Manager must be closed to access the Knowledge Base Manager.The Knowledge Base Manager appears.
- From the Knowledge Base Manager, click File, then click Import Knowledge Base File.
- Select the latest downloaded Knowledge Base .lkb file, and click OK.
The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The file is checked for compatibility with your current deployment and is prepared for import. This may take several minutes. Upon completion, the Unpack Progress: Knowledge Base unpacked message appears. - To import the Knowledge Base, click Next.
Upon completion, the Import Progress Import Completed message appears. - Click OK.
The Knowledge Base Updated message appears. - Click OK.
- On the Knowledge Base Import Wizard, click Close.
Step 2: Verify the Log Source Virtualization Template
In the Client Console, on the main toolbar, click Deployment Manager.
- On the Tools menu, select Administration, and then click Log Source Virtualization Template Manager.
Verify the Open Collector template is already there in the Log Source Virtualization Template Manager, and verify the number of virtual log sources.
- In the lower-left corner click Virtual Log Source Manager, and verify the virtual log sources you need are on the list.
These log sources must be on the list:- Syslog - Open Collector - Webhook
- Syslog - Open Collector - Webhook OneLogin
- Syslog - Open Collector - Webhook Zoom
- Syslog - Open Collector - WebhookBeat Heartbeat
Click OK.
The Virtual Log Sources are available and verified.- Click Close.
Step 3: Syslog Relay Configuration
This step explains how to configure the Syslog Relay. The Open Collector needs Syslog Relay for the following reasons:
- By default, the agent timestamps syslog messages as they come in. The timestamp in the SIEM should reflect when the log was generated, not when the agent received this log.
- An additional Syslog Relay Regular Expression is required to correctly extract the timestamp.
Beats configured using the JSON parsing method should use the regex relay outlined in the Configure Beats for JSON Parsing topic and skip this step.
To configure Syslog Relay:
- Go to the System Monitors tab.
- Double-click the agent to which you will send the Open Collector syslog.
- Go to the Syslog and Flow Settings tab.
- If not already selected, select the Enable Syslog Server check box.
- In the Syslog Relay Hosts field on the left, type the Open Collector IP Address.
As the first line in the Syslog Relay Regular Expressions field, type the following:
CODE^<(?<priority>\d{1,3})>\s*(?<message>(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})T(?<hour>\d{2}):(?<minute>\d{2}):(?<seconds>\d{2})(\.(?<ms>\d+))?Z?[-+]?[0-9:]{0,}\s.*)
- Click OK.
Here is an example of a configured Syslog Relay, where the Open Collector IP address is 10.3.0.1.
Step 4: Accept the Pending Log Source
After Open Collector logs are sent to the Windows System Monitor Agent, you need to accept the pending log source.
- Go to the Log Sources tab.
- In the New Log Sources grid, select the Action check boxes for the following:
Log Source Type. Syslog - Open Collector
Do not select the Webhook-specific log source types yet. You will do that in a later step.Log Processing Policy. LogRhythm Default
Right-click the selection, click Actions, and then click Accept.
Select one of the following:
- Customize and change the following as needed:
Collection System Monitor Entity
Log Message Processing Settings
Log Data Management and Processing Settings
Silent Log Message Source Settings
Default to select customized defaults that were previously selected.
Select a default batch amount between 100 and 5000.
- Customize and change the following as needed:
- Click OK.
- To see the newly accepted Log Source in the grid, click Refresh.
Step 5: Apply the Log Source Virtualization Template for Webhook Log Messages
Use the log source virtualization template imported in Step 2 to create a log source specifically for Webhook logs.
Double-click the newly accepted Open Collector Log Source.
The Log Message Source Properties window appears.Go to the Log Source Virtualization tab.
Select the Enable Virtualization check box.
Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears.In the Log Source Virtualization Template menu, select Syslog - Open Collector - Webhook.
- To classify OneLogin service logs through Webhook, select Syslog - Open Collector - Webhook OneLogin in the Log Source Virtualization Template menu.
- To classify Zoom service logs through Webhook, select Syslog - Open Collector - Webhook Zoom in the Log Source Virtualization Template menu.
- Click Save.
The confirmation prompt appears. - Click OK.
New Log Sources appear in the grid as children of your parent log source.
Step 6: Apply the Log Source Virtualization Template for Webhook Beat Heartbeat Messages
Use the log source virtualization template imported in Step 2 to create a log source specifically for Webhook heartbeat logs.
- Double-click the newly accepted Open Collector Log Source.
The Log Message Source Properties window appears. - Go to the Log Source Virtualization tab.
- Select the Enable Virtualization check box.
- Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears. - In the Log Source Virtualization Template menu, select Syslog - Open Collector - WebhookBeat Heartbeat.
- Click Save.
The confirmation prompt appears. - Click OK.
New Log Sources appear in the grid as children of your parent log source.
Step 7: (Optional) Enable Silent Log Source Detection
Silent Log Source Detection indicates when one of your log sources has stopped reporting logs.
- Double-click a child log source—for example, Syslog - Open Collector - Webhook.
The Virtual Log Message Source Properties window appears. - Go to the Additional Settings tab.
- Select the Enable Silent Log Source Detection check box.
- Configure warning and error intervals. LogRhythm recommends warning after 1 hour and error after 2 hours.
- Search for LogRhythm Silent Log Source Error and ensure the value in the Status column is Enabled.