This section describes the process of creating and managing pipelines within the OC Admin interface.
Pipelines act as the log source product within OC Admin, and each pipeline:
- Has a collection configuration that:
- decides which Beat to use to collect the data, and
- tells the selected Beat how to collect this data.
Has data fields mapped to LogRhythm SIEM tags/fields.
Some of these fields are mapped (parsed) to LogRhythm MDI fields, which are used to automatically build the JQ Filter and JQ Transform for the Open Collector.
- Can be deployed to Open Collector hosts.
To access the list of Pipelines in the OC Admin, from the main page:
- Click Pipelines in the menu bar.
The following actions are available for each Pipeline:
|Open||Opens the Pipeline Properties, displaying information such as the collection configuration, mapping statistics, and deployments list.|
|Edit||Click to edit the Pipeline's properties (such as the name, primary Open Collector, and status).|
|Delete||Click to delete the Pipeline from the OC Admin. A prompt appears to verify this action.|
Add a New Pipeline
To add a new Pipeline to the OC Admin, from the Pipelines list:
- Click the + Add New Pipeline button.
- Enter a unique Pipeline Name.
Select the Primary Open Collector from the drop-list.
- Click the Add new Pipeline button.
The Pipeline is successfully added to OC Admin.
The Pipeline Properties window displays the following information:
- Collection configuration, including the Beat/Shipper used, the collection method (flat file, REST API, etc.), and the shipper's configuration (either YAML or JSON, depending on selected shipper requirements).
- Mapping statistics.
- Deployments list.
Each of these sections have their own actions, accessed by opening the three-dot menu on the right-hand side.
To view the properties for a specific pipeline, click the Open button to the left of the pipeline in the Pipelines List.
The Deployments section of the Pipeline Properties window allows you to deploy the selected pipeline to an Open Collector host.
Add a Deployment
To add a new deployment to a pipeline, from the Pipeline Properties window:
- Click the + Add New Deployment button at the top of the Deployments section.
- From the list of Open Collectors, select a suitable one.
An Open Collector has the "Suitable" status if:
- The Open Collector exists in the list of OC Admin Open Collectors.
- The Open Collector has the required Shipper (Beat) installed, unless the Pipeline requires one of the LogRhythm Beats. In this case, the LogRhythm Beat is automatically downloaded and deployed.
The Open Collector's hostname matches one of the identifiers (Windows name, DNS name, or IP address) of a SIEM log source host with the type "Syslog - Open Collector."
In the example image above, there are two Open Collectors, one suitable and one that isn't.
The first Open Collector ("Lab") has a matching log source in the SIEM (Log Source ID "80"), as the host mapped to the log source share one IP address.
The second Open Collector ("Test") does not have a matching SIEM log source and is therefore unsuitable.
Click the + button under the Actions column for the suitable Open Collector.
Hover the mouse over the button to see the deployment steps being carried out.
The first two steps are the longest ones and can take up to 30 seconds each, depending on how busy the Open Collector host is.
When the deployment is complete, the + button displays 100.
Remove and Stop a Deployment
To remove or stop a deployment association with a pipeline, from the Pipeline Properties window:
- Open the three-dot menu at the top-right of the Deployments section.
- Click + Add Deployment.
- In the list of Open Collectors, select the deployment to uninstall.
Click the - button under the Actions column of the deployment.
Hover the mouse over the button to see the uninstallation steps being carried out.