Open Collector Installation and User Guide
The Open Collector was built to be container native. This provides the foundation for useful functionality in the future, from the next version of the LogRhythm Knowledge Base to easy deployment into AWS, Azure, and GCP.
Prerequisites
Internet access.
Beat configuration. See applicable documentation for the beat you want to use.
Operating System:
CentOS 7 Minimal Version 7.6 or greater. Download CentOS 7 here.
RedHat Enterprise Linux 8.2 (or greater) or 9.1. Download RedHat here (license may be required).
RedHat Enterprise Linux 8.2 (or greater) or 9.1 is only officially supported using Mirantis Container Runtime or Mirantis Kubernetes Engine (Formerly Docker Enterprise Edition).Oracle Linux 8.7 or 9.1. Download Oracle Linux here.
Rocky Linux 9.1 or greater. Download Rocky Linux here.
Docker:
CentOS 7.x
Docker Community Edition is installed automatically with the Open Collector. This requires compatible hardware or VM installation. Your VM instance may require virtualization to be enabled to allow Docker to run.
RedHat Enterprise Linux 8.2 (or greater) or 9.1.
Mirantis Container Runtime and Mirantis Kubernetes Engine (Formerly Docker Enterprise Edition) are the only officially supported versions of Docker compatible with RedHat Enterprise Linux 8. Requires manual installation and paid license.
Oracle Linux 8.7 or 9.1.
Docker Community Edition is installed automatically with the Open Collector. This requires compatible hardware or VM installation. Your VM instance may require virtualization to be enabled to allow Docker to run.
Rocky Linux 9.1 or greater.
Docker Community Edition is installed automatically with the Open Collector. This requires compatible hardware or VM installation. Your VM instance may require virtualization to be enabled to allow Docker to run.
Host system:
| Platform | vCPU | Memory | Disk |
|---|---|---|---|
| Minimum | 8 | 8GB | 50GB |
| XM2600 | 8 | 16GB | 100GB |
| XM4600 | 10 | 16GB | 100GB |
| XM6600 | 12 | 16GB | 150GB |
| XM8600 | 12 | 16GB | 150GB |
- System Monitor Agent:
- Syslog-enabled LogRhythm Windows System Monitor agent, version 7.6 or greater
- Must be installed on network-accessible machine
Use of the Linux System Monitor agent is not officially supported at this time
As a workaround, change the Linux System Monitor agent's relay regex to use the BeatFullName as the identifier for the log source. Use the following relay regex:
CODE^<(?<priority>\d{1,3})>\s*(?<message>(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})T(?<hour>\d{2}):(?<minute>\d{2}):(?<seconds>\d{2})(\.(?<ms>\d+))?Z?[-+]?[0-9:]{0,}\s[^\|]+\|beatname=[^\|]+\|device_type=[^\|]+\|fullyqualifiedbeatname=(?<hostidentifier>[^\|]+)\|.*)
As the content of the log sources that the Open Collector can process varies greatly, performance varies based on the log source in use. For more information, see the Configure Open Collector Advanced Properties section of the Configure the Open Collector Connection to the SIEM (Legacy-Syslog) topic.
Navigating the Open Collector Installation Guide
The pages you should view while using this installation guide will vary depending on the operating system you use, your installation method, and how beats will be managed. Use this links below to navigate this guide.
- (Optional.) If using Generation 6 appliances, refer to the Create Open Collector VM on Gen6 XM topic.
- Select an operating system from the Install Open Collector Operating System page.
- Follow the directions on the Install the Open Collector page.
- Select one of the following methods to manage beats:
- If you are managing custom beats, or your SIEM version is pre-7.14, follow the instructions at Configure Open Collector Connection to the SIEM (Legacy-Syslog).
- If your SIEM version is 7.14 or later, follow the instructions at Configure Open Collector Connection to the SIEM (WebUI).