Multi-Tenancy for Beats

Multi-tenancy for beats in the Open Collector gives you the ability to run multiple instances of the same beat on a single host operating system.

Use case examples include:

Customers with multiple accounts on the same cloud vendor.
MSSPs who need to run many concurrent beats to cover a large customer base.

The multi-tenancy feature adds a unique beat identifier to all relevant volumes within the beat container. Each fully qualified beat name combines the name of the beat with the unique beat identifier.

Example - Azure EventHub beat

Beat name: eventhubbeat

Unique beat identifier (beatIdentifier): uswest1

Fully qualified beat name: eventhubbeat_uswest1

Volume format: <beatname>_config_<beatIdentifier>

Multi-Tenant Unique Beat Identifier

When creating a new beat, the configuration dialogue prompts you to enter a unique beat identifier.

The unique beat identifier prompt appears for all existing LogRhythm beats.

For example, when creating a new EventHub beat, you will see the following prompt:

The following validation rules apply to your unique beat identifier:

Must be system-unique
Must be 4 to 12 characters long
May only contain letters, numbers, period, underscore, and dash (. _ -)
Case-insensitive
Cannot be blank

Syslog Output from the Open Collector

The Syslog output from the Open Collector contains the field fullyqualifiedbeatname=.

Example log

beatname=eventhubbeat|device_type=eventhubbeat|fullyqualifiedbeatname=eventhub_instance1|original message={...}

This field has been added to the regex for all Open Collector log sources but is not parsed into an LR metadata field. You can use this field to add custom virtual sources to the Open Collector LSV template.

Example of virtual source regex that leverages the new field

beatname=eventhubbeat\|device_type=eventhubbeat\|.*?fullyqualifiedbeatname=eventhub_uswest1\|

Components Affected by Multi-Tenancy for Beats

LRCTL container
LRCTL script
All Beats containers
SIEM log sources for Open Collector

Feature Commands

The following feature commands are available for use with beat multi-tenancy:

Config Create

To create beat instance:

Run the following command:
CODE
```
./lrctl <beatname> config create
```
At the prompt, enter your new unique beat identifier.

After you complete the configuration steps, a new volume is created within the beat container. This new volume has the following format: <beatname>_config_<beatIdentifier>.

Config Edit

To edit a beat instance:

Run the following command:
CODE
```
./lrctl <beatname> config edit
```
A menu of beat instances with existing configuration volumes appears.
Select the beat instance you want to edit.
You can change the unique beat identifier, if desired.

Config Export

To export a beat configuration file:

Run the following command:
CODE
```
./lrctl <beatname> config export --outfile file_name.yml
```
A menu of beat instances with existing configuration volumes appears.

The configuration file is saved to the specified outfile file name. The file extension must be .yml. If you do not specify an outfile, the configuration file is printed to the console.

Config Import

When importing a beat configuration file, LR Open Collector expects the following parameter to be defined.

Name	Type	Details
beatIdentifier	String	Most alpha-numeric text is determined to be type string. However, some data need to be encapsulated in double quotes to force them to be type string. Examples of data that would need double quotes: Numbers: 1000.00 must be represented as beatIdentifier: "1000.00" Booleans: True must be represented as beatIdentifier: "True" The beatIdentifier field must comply with the validation rules outlined in the Multi-Tenant Unique Beat Identifier section.

If your beat configuration file does not include the beatIdentifier field, LR Open Collector will create a legacy beat instance without a unique beat identifier appended to the volume and container names. You can only have one such legacy beat per system.

To import a beat configuration file:

Run the following command:
CODE
```
cat config_file.yml | ./lrctl <beatname> config import  
```
LR Open Collector reads the beatIdentifier field in the configuration file and creates a new volume.

If you have an existing configuration volume, it will be overwritten by the imported configuration volume.

Config Remove

To remove a beat instance:

Run the following command:
CODE
```
./lrctl <beatname> config remove
```
A menu of beat instances with existing configuration volumes appears.
Select the beat instance for which you want to delete the configuration volume.

Config View

to view a beat instance:

Run the following command:
CODE
```
./lrctl <beatname> config view
```
A menu of beat instances with existing configuration volumes appears.
Select the beat instance you want to view.
A subset of configuration fields from the selected beat instance is printed to the console.

Logs

To view log for currently running beat instances:

Run the following command:
CODE
```
./lrctl <beatname> logs
```
A menu of currently running beat instances appears.
Select the beat instance for which you want to view the logs.
The logs for the selected beat instance are printed to the console.

Restart

To restart a currently running beat instance:

Run the following command:
CODE
```
./lrctl <beatname> restart
```
A menu of running beat instances with existing configuration volumes appears.
Select the beat instance you want to restart.

Restarting a beat instance stops the selected container, then starts the selected container.
Click Cancel to cancel this action.

Start

To start running a beat instance:

Run the following command:
CODE
```
./lrctl <beatname> start
```
A menu of non-running beat instances with existing configuration volumes appears.
Select the beat instance you want to start.
Click Cancel to cancel this action or select New <beatname> instance to create a new instance of this type of beat.

Status

To view the status of all running beat instances:

Run the following command:
CODE
```
./lrctl status
```
A list of all running beat instances appears. The status list includes the following information about each beat instance:

- Service name
- Version
- Date created
- Status (uptime)

<beatname> Status

To view the status of all instances within a specific beat type:

Run the following command:
CODE
```
./lrctl <beatname> status
```
A list of all running instances within the specified beat appears. The status list includes the following information about each beat instance:
- - Service name
  - Version
  - Date created
  - Status (uptime)

Stop

To stop running a beat instance:

Run the following command:
CODE
```
./lrctl <beatname> stop
```
A menu of running beat instances with existing configuration volumes appears.
Select the beat instance you want to stop.
Click Cancel to cancel this action.

Troubleshoot Export

To export a troubleshoot file:

Run the following command:
CODE
```
./lrctl <beatname> troubleshoot export --outfile <filename>.tar.gz
```
A menu of currently running beat instances appears.

The configuration file is saved to the specified outfile file name. The file extension must be .tar.gz.

FAQ

Can I edit an existing unique beat identifier (beatIdentifier)?

Yes. You can change an existing unique beat identifier by running the Config Edit command.

Can I edit the beatIdentifier field in a configuration file before I import it into the Open Collector?

Yes. You can use a text editor to change the beatIdentifier field before you import the file.

When importing the configuration file, a new beat instance is created.

When changing the beatIdentifier field, you must comply with the validation rules outlined in the Multi-Tenant Unique Beat Identifier section.