Install the Open Collector
If you are upgrading an existing Open Collector, skip this procedure and go to Upgrade the Open Collector.
If you want to configure Open Collector using SIEM web console, skip this procedure and go to Configure Open Collector Connection to the SIEM.
If you would like to copy/paste these commands, using PUTTY or other SSH tools will give you better results than using the VM console.
Install WGET:
CODEsudo yum install -y wgetDownload the Open Collector Control Script:
CODEwget https://raw.githubusercontent.com/logrhythm/versions/master/lrctlChange permissions:
CODEchmod +x lrctlInitialize the Open Collector and start all components.
The following command installs Docker - Community Edition:
CODE./lrctl initIf you plan to use a proxy server, additional configuration is necessary. For more information, see Configure Open Collector Via Proxy for steps to take before continuing with this installation.
If installing on RHEL 8, modification of the firewalld.conf file is required before starting the Metrics service or the Open Collector. Please see the RHEL 8 installation page for details.
Start the Metrics service:
CODE./lrctl metrics startThe system will prompt you to configure centralized metrics, as a configuration must exist in order to start the Metrics service. Answer the question at the prompt in order to completely start the Metrics service.Start the Open Collector:
CODE./lrctl open-collector start
Configure the Open Collector
Type the following configuration information:
- System Monitor Host Name/IP: The hostname or IP address of your syslog-enabled LogRhythm SysMon agent. SysMon agent must be network accessible from the Open Collector.
- System Monitor syslog Port: The port # on which your LogRhythm SysMon agent is configured to receive syslog messages. By default, this is port 514.
- Syslog Server Timezone: The the timezone your LogRhythm SysMon agent is in. Important for ensuring timestamps on syslog messages are accurate.
Syslog Transport Mechanism: The protocol with which you would like to send syslog messages to the LogRhythm SysMon agent.
- TCP - Transmission Control Transport. Recommended transport option when encryption is not required.
- UDP - User Datagram Transport. Not recommended unless log size is small AND reliability is not a concern.
- TLS - Transport Layer Security v1.2 over a TCP connection. Requires certificate.
Open Collector supports syslog collection on Linux SysMon agents from System Monitor version 7.9.0.8004 onwards. The Linux SysMon agent cannot be installed on the same machine as the Open Collector.
TLS is unsupported by Linux at this time.
(Optional) Configure Open Collector Advanced Properties
When configuring the Open Collector, you are prompted about whether you want to configure advanced properties. Advanced properties include two fields:
- Concurrency. The number of components to run in parallel. In the context of a multi-core server, cores are utilized more thoroughly with increased concurrency. This setting uses more system processing power and increases the performance of the Open Collector.
- Capacity. The size of the queue in an Open Collector component. Messages are passed from component to component after processing for each component is complete. Because certain components require less processing than others, there are queues in place for messages waiting to be processed.
You can also reach this prompt by running the following command:
./lrctl oc config editRecommended Advanced Properties Configuration Settings
The following configuration settings may improve performance of the Open Collector. For more on the individual components, see Understand the Open Collector Components.
| System | Demux | Lumberjack | Pipelines | Outputs |
|---|---|---|---|---|
| Core(s): 8 Model name: Intel(R) Xeon(R) CPU CPU MHz: 3100.178 BogoMIPS: 6200.35 | Capacity: 1000 Concurrency: 32 | Capacity: 1 Concurrency: 2 | Capacity: 1000 Concurrency: 16 | Capacity: 1000 Concurrency: 8 |
| Core(s): 24 Model name: Intel(R) Xeon(R) CPU CPU MHz: 3100.180 BogoMIPS: 6200.36 | Capacity: 1000 Concurrency: 16 | Capacity: 1 Concurrency: 2 | Capacity: 1000 Concurrency: 16 | Capacity: 1000 Concurrency: 8 |
Understand the Open Collector Components
- Lumberjack. The listener for ingesting raw beat logs. This component forwards messages to the demux.
- Demux (demultiplexer). Routes an input log to its corresponding pipeline. For example, an Azure log is routed to the Eventhub pipeline, a G Suite log to the G Suite pipeline, and so on.
- Pipelines. JQ pipelines where most of the transform logic lives. Raw messages are transformed to map to LogRhythm schema.
- Outputs. Formats the message to Linux syslog and sends it to the agent.
Validate the Installation
To validate that you have installed Open Collector correctly and initialized the Beats:
Validate that services are running with the following three commands:
CODE./lrctl open-collector status ./lrctl metrics status ./lrctl <beat name> status- View the metrics in Grafana.
Open a supported browser (Chrome or Firefox), and type
http://<opencollectorip>:3000.CentOS and Open Collector are command-line only, so you will need to access Open Collector Metrics from a browser on another machine. Ensure that port 3000 inbound is open on the Open Collector.
In Grafana, go to Open Collector, and then Open Collector Overview.
The default Open Collector Overview dashboard has three columns. Each column includes a Messages Per Second and a Counters (total) graph. The Pipelines and Output columns also have Errors graphs.
- Left column. Input - a Beat is successfully sending logs to the Open Collector.
- Middle column. Pipelines - the logs are matching our MDI.
- Right column. Output - the logs are successfully sent to the System Monitor Agent.
- If data is flowing through the Open Collector, the graphs will be populated with data regarding total counts and MPS for various parts of the pipeline. Each graph has an information icon in the top-left corner. Point to this icon for a description of what each graph displays.