Prerequisites
-
The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
-
You have the required keys: GCP Credential file contents, GCP Project ID, and the GCP BigQuery Dataset name.
-
The following port is open:
Direction
Port
Protocol
Source
Outbound
443
HTTPS
gmtbeat
Initialize the Beat via the Web Console (Recommended)
-
Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.
-
Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.
Initialize the Beat via Command Line (Legacy)
-
Start the beat:
./lrctl gmtbeat start -
Use the Up and Down Arrow keys to select New gmtbeat instance from the list, and then press Enter.
-
Enter the unique identifier for this gmtbeat instance, and then press Enter.
-
Enter the GCP credential file contents, then press Enter twice when finished.
-
Enter the GCP Project ID, then press Enter.
-
Enter the GCP BigQuery Dataset name, then press Enter.
To change the dataset name in the beat after changing the configuration, use the following to delete the previous position file and re-enable log collection:
Bashrm /var/lib/docker/volumes/gmtbeat_logs/_data/pos.json
-
Enter the hostname or IP address of the System Monitor Agent that has been Configured for JSON Parsing, and then press Enter.
Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.
-
Enter the port on which the System Monitor Agent is configured to listen for JSON data (the default is 5044), and then press Enter.
The gmtbeat service started message appears. -
Check the status of the service to confirm that it’s running:
./lrctl gmtbeat status -
(Optional) Edit the gmtbeat configuration to update the values set above if needed. Ensure that you have all the needed information for each step available as you will need to re-enter it:
./lrctl gmtbeat config edit
Default Config Values for GMTBeat:
|
S. No. |
Field Name |
Default Value |
|---|---|---|
|
1. |
project |
User Provided |
|
2. |
HeartbeatInterval |
5m0s |
|
3. |
HeartbeatDisabled |
false |
|
4. |
CredentialsFile |
/beats/gmtbeat/config/gmt_credentials.json |
|
5. |
Datadet |
User Provided |
|
6. |
NumberOfBackDays |
7 |
|
7. |
Period |
10s |