Initialize the Generic Beat with Epoch (Unix) Time
This topic outlines the process to set up the Generic beat to fetch logs from any log sources that support page-based pagination, header-based authentication, and the "between the start and end date" filter.
This guide assumes a working knowledge of the API request and response format to be set up with the Generic beat.
Prerequisites
- Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
- Log source Name (the same as the name of the log source you want to set up with the Generic beat).
- Log source URL (the complete URL with which logs can be fetched from the log source).
- Sorting fields, if sorting is supported by the API.
- Response data field, if the response needs to be fetched from a specific field in JSON.
- Period during which logs need to be fetched from the log source.
- Request headers and query parameters that the API requires to fetch logs from an endpoint.
The following port is open:
Direction Port Protocol Source Outbound 443/80 HTTPS/HTTP genericbeat
Initialize the Beat
For more information on any of the Generic beat-specific fields described in this topic, see the Guide to Generic Beat Prompt Inputs section of the Configure the Generic Beat topic.
The values shown in the images used in this guide are example values. Replace the example values with the actual values that your API supports.
To confirm the Open Collector is running, run the following command:
CODE./lctrl status
If the Open Collector is not running correctly, see Troubleshoot the Open Collector in the Open Collector Installation and User Guide.
You should see the open_collector and metrics versions.To start the Beat, run the following command:
CODE./lctrl genericbeat start
Select New genericbeat instance using the arrow keys, and then press Enter.
- Enter the unique beat identifier for this beat instance, and then press Enter.
- Enter Sysdig as the logsource name for Generic beat configuration.
- Select GET as the default value using the arrow keys, and then press Enter.
- Enter the API URL for the host to which you wish to connect. For example, https://us2.app.sysdig.com/api/v1/secureEvents.
- Select No Pagination as the pagination style using the arrow keys, and then press Enter.
- Select Date Range as the filter type using the arrow keys, and then press Enter.
- Select EPOCH_UNIX_NANO as the date-time format using the arrow keys, and then press Enter.
- Enter the delay time, in seconds, supported on the API side for live logs. For example, 2s.
- Select Between start and end date as the date range filter using the arrow keys, and then press Enter.
- Enter the 19-digit Epoch time value from which logs should start being imported, and then press Enter.
- Enter the 19-digit Epoch time value at which logs should stop being imported, and then press Enter.
- Select Header Based Authentication as the authentication method using the arrow keys, and then press Enter.
- Enter Authorization as the auth header, and the Bearer token value as the auth token value, and then press Enter.
- Select No for whether your API supports sorting using the arrow keys, and then press Enter.
- Enter Accept:application/json as an additional request header, and then press Enter.
- Enter Content-Type:application/json;charset=UTF-8 as an additional request header, and then press Enter.
- Enter c to continue.
- Enter c to continue.
- Enter c to continue.
- Select Yes to specify a specific field from the response using the arrow keys, and then press Enter.
- Enter data as the field in which the API response will arrive, and then press Enter.
- Enter 20s as the polling period for the beat, and then press Enter to continue.
The Generic beat is successfully initialized.