Skip to main content
Skip table of contents

JSON Normalization Customization

Starting with LogRhythm 7.17, the Open Collection Architecture opens the System Monitor Agent to allow acceptance of JSON logs from sources that support the Lumberjack protocol. This means administrators can configure 3rd party JSON agents directly with the System Monitor to collect log sources.

Enable JSON Listener on System Monitor Agent

To ensure the System Monitor Agent (SMA) is ready to accept JSON logs, follow the instructions outlined in Configure Beats for JSON Parsing.

Point the Feed to the JSON Listener

Once you have configured the System Monitor Agent, update the configuration of the tool you are using to point to the SMA’s hostname or IP address.

By default, the JSON listener is on port 5044. You can change the port in System Monitor Properties in the Client Console. For more information, see Modify System Monitor Advanced Properties.

Onboard the New Log Source

There are two possible ways to onboard the new log source, depending on whether your System Monitor Agent is configured with an Open Collector.

If your System Monitor Agent is already configured with an Open Collector, you w need to take the route under “Configure Log Source Virtualization” if this SMA doesn’t have an Open Collector log source, follow the path of “Accept the pending log source”

Accept the Pending Log Source

If the Agent receiving JSON logs is not configured to work with an Open Collector:

  1. Associate the new pending log source with the log source type Syslog - Open Collector. For more information, see Associate New Log Sources.

  2. Resolve the log source Host. For more information, see Resolve Log Source Hosts.

  3. Accept the pending log source with Defaults. For more information, see Accept New Log Sources.

  4. Your new log source is now onboarded.

Configure Log Source Virtualization

If the Agent receiving JSON logs is already configured to work with an Open Collector or if you have multiple JSON log feeds coming to the same Agent, you will need to leverage Log Source Virtualization (LSV) to effectively map the log source to the correct log source type.

  1. Follow the example of the Open Collector LSV template, this is the exact format that the SMA will send the logs in as. For more information, see Log Source Virtualization.

  2. Accept the pending log source as described above, then associate it with the Log Source Virtualization template.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close