OC Admin Open Collectors
This section of the OC Admin User Guide details setup and management of Open Collectors within the OC Admin.
Open Collectors are required for the user to be able to:
- Run temporary Tail to help mapping log source JSON data to LogRhythm SIEM's parsing tags and fields.
- Deploy the Pipeline for production.
Open Collectors List
To access the list of Open Collectors in the OC Admin, from the main page:
- Click Open Collectors in the menu bar.
Actions
The following actions are available for each Open Collector:
| Action | Description |
|---|---|
| Re-Scan | Click to refresh the Open Collector host and check for updated versions of:
During the re-scan, information is replaced with "waiting" images:
If the Open Collector host is not reachable, or the credentials are incorrect, the item updates with the following error images:
For more information on the Installed Shippers column, refer to the Shippers section below. |
| Edit | Click to edit the Open Collector's properties (such as the name, host, port, and credentials). |
| Delete | Click to delete the Open Collector from the OC Admin. A prompt appears to verify this action. |
Add a New Open Collector
To add a new Open Collector to the OC Admin, from the Open Collectors list:
- Click the + Add New OpenCollector button.
- Enter a unique OpenCollector Name.
- Enter the Host name (the IP address or hostname of the Open Collector).
- Enter the SSH Port.
- Enter the SSH User name.
- Choose between the Password or Private Key authentication method.
Provide the Password or Key in the corresponding field.
For the Private Key, paste the entire contents of the key file, including the
-----BEGIN... of the first line and ...KEY-----of the last line:- Click the Add new OpenCollector button.
The new Open Collector is successfully added to the list.
Shippers
Shippers are used to collect data from the Cloud or local sources. LogRhythm Beats cover a lot of ground, but it's possible to use others.
When an Open Collector is re-scanned (as described above), the list of the configured/running LogRhythm Beats (as well as other installed Beats) is brought up with the respective versions:
Rolling over the icon with the mouse gives the name of the Beat:
Add a Shipper
Sometimes, it's necessary to deploy an extra Shipper on the Open Collector to be able to gather data over a protocol not already supported by the LogRhythm Beats.
To add a shipper to an Open Collector, from the Open Collectors list:
- For the selected Open Collector, click on the
+button under the Installed Shippers column. - Select the Beat package to be deployed:
During the installation, the logs of the whole operation are displayed in the lower part of the screen.
As multiple Shippers could be deployed on multiple Open Collectors, each deployment is tracked individually and the logs are grouped by the name of the targeted Open Collector:
While the installation is going on, the "waiting" image is displayed:
Do not leave the page or close the web browser's tab while this process is ongoing, as visibility on the deployment is lost. Even upon returning to the page later, the logs are no longer visible. However, the deployment continues in the background.
A new re-scan of the Open Collector can be forced if deployment visibility is lost. Refer to the Actions section above for more information.