Initialize the Box Beat

This guide outlines the procedure to initialize the Box Beat configuration using the Open Collector.

Prerequisites

  • Acquire a JWT by creating a Box app, as outlined in Configure Box API.

  • Ensure that System Monitor System Monitor version 7.21 or higher is installed, with JSON parsing enabled. For more information on enabling JSON parsing, refer to Configure Beats for JSON Parsing.

  • The following port must be open:

Direction

Port

Protocol

Source

Outbound

443

HTTPS

boxbeat

Initialize the Beat via the Web Console (Recommended)

  1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

  2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

  1. Execute the following command to begin configuring the Box Beat:

    ./lrctl boxbeat start
    
  2. Use the arrow keys to select New boxbeat instance and press Enter.

  3. Enter a unique identifier for the beat instance.

  4. Enter the Box API endpoint.
    The default is https://api.box.com/

  5. Copy and paste the text from the JWT file downloaded in Configure the Box API.

  6. Enter one of the following event stream types:

    • all (Includes user events such as file operations and sharing. Works with standard OAuth2 apps.

    • admin_logs (Includes admin events such as user management and policies. Requires Enterprise Admin access.

  7. Enter the number of events to be logged per API request.
    The default is 100, and the max is 500.

  8. Enter the collection period.
    This is the amount of time that should elapse between each collection. The default is 60s.

  9. Enter the hostname or IP address of the System Monitor Agent that will be performing the JSON parsing.

  10. Enter the port of the System Monitor Agent JSON listener.
    The default is port 5044.

  11. After pressing Enter a final time, the beat starts successfully.

  12. (Optional.) To check the status of the service, run the following command:

 ./lrctl boxbeat status