Configure an Open Collector Log Source
Accept the Pending Log Source
- Open the Client Console Deployment Manager.
Click the Log Sources tab.
In the New Log Sources grid, a pending log source appears with a name similar to
(customerid)-opencollector.c.e3-hub753dd405.internal
Check the Action check box for this log source.
- Right-click and select Actions, Change Log Source Type.
- In the text filter box, enter Open Collector.
- Select the value System : Syslog - Open Collector.
Do not select the specific log source types yet. You will do that in a later step. - Right-click and select Actions, Resolve Log Source Host.
- Right-click the selection and click Actions, Accept.
- Do one of the following:
- Click Custom and change the following as needed:
- Collection System Monitor Entity
- Log Message Processing Settings
- Log Data Management and Processing Settings
- Silent Log Message Source Settings
- Click Default to select customized defaults that were previously selected.
- Select a default batch amount between 100 and 5000.
- Click OK.
- To see the newly accepted Log Source in the grid, click Refresh.
Apply the Log Source Virtualization Template
- Double-click to open the newly accepted Open Collector Log Source.
The Log Message Source Properties window appears. - Click the Log Source Virtualization tab.
- Select the Enable Virtualization checkbox.
- Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears. - In the Log Source Virtualization Template menu, select the log sources you are planning to collect. At this time, LogRhythm Cloud to Cloud collection supports:
- Azure Event Hub
- Carbon Black
- Cisco AMP
- Duo
- Gmail Message Tracking
- Okta
- PubSub
- Sophos Central
- Click Save.
The confirmation prompt appears. - Click Apply.
- Click OK.
New Log Sources appear in the grid as children of your parent log source. - Click on the System Monitors Tab.
- Click on the action box next to the agent named (customerid)-dpwac.
- Right-click the selection and click Actions, Service Restart.
After this initial setup, you will be able to start configuring the beats themselves in the Web Console. For more information on specific beats, see OCBeats.