Open Collector Installation and User Guide
The Open Collector was built to be container native. This provides the foundation for useful functionality in the future, from the next version of the LogRhythm Knowledge Base to easy deployment into AWS, Azure, and GCP.
Prerequisites
Internet access.
Beat configuration. See applicable documentation for the beat you want to use.
Operating System:
CentOS 7 Minimal Version 7.6 or greater. Download CentOS 7 here.
RedHat Enterprise Linux 8.2 (or greater) or 9.1. Download RedHat here (license may be required).
RedHat Enterprise Linux 8.2 (or greater) or 9.1 is only officially supported using Mirantis Container Runtime or Mirantis Kubernetes Engine (Formerly Docker Enterprise Edition).Oracle Linux 8.7 or 9.1. Download Oracle Linux here.
Rocky Linux 9.1 or greater. Download Rocky Linux here.
Docker:
CentOS 7.x
Docker Community Edition is installed automatically with the Open Collector. This requires compatible hardware or VM installation. Your VM instance may require virtualization to be enabled to allow Docker to run.
RedHat Enterprise Linux 8.2 (or greater) or 9.1.
Mirantis Container Runtime and Mirantis Kubernetes Engine (Formerly Docker Enterprise Edition) are the only officially supported versions of Docker compatible with RedHat Enterprise Linux 8. Requires manual installation and paid license.
Oracle Linux 8.7 or 9.1.
Docker Community Edition is installed automatically with the Open Collector. This requires compatible hardware or VM installation. Your VM instance may require virtualization to be enabled to allow Docker to run.
Rocky Linux 9.1 or greater.
Docker Community Edition is installed automatically with the Open Collector. This requires compatible hardware or VM installation. Your VM instance may require virtualization to be enabled to allow Docker to run.
Host system:
| Platform | vCPU | Memory | Disk |
|---|---|---|---|
| Minimum | 8 | 8GB | 50GB |
| XM2600 | 8 | 16GB | 100GB |
| XM4600 | 10 | 16GB | 100GB |
| XM6600 | 12 | 16GB | 150GB |
| XM8600 | 12 | 16GB | 150GB |
- System Monitor Agent:
- Syslog-enabled LogRhythm Windows System Monitor agent, version 7.6 or greater
- Must be installed on network-accessible machine
Use of the Linux System Monitor agent is not officially supported at this time
As a workaround, change the Linux System Monitor agent's relay regex to use the BeatFullName as the identifier for the log source. Use the following relay regex:
CODE^<(?<priority>\d{1,3})>\s*(?<message>(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})T(?<hour>\d{2}):(?<minute>\d{2}):(?<seconds>\d{2})(\.(?<ms>\d+))?Z?[-+]?[0-9:]{0,}\s[^\|]+\|beatname=[^\|]+\|device_type=[^\|]+\|fullyqualifiedbeatname=(?<hostidentifier>[^\|]+)\|.*)
As the content of the log sources that Open Collector can process varies greatly, performance varies based on the log source in use. For more information, see (Optional) Configure Open Collector Advanced Properties.