Only Global and Restricted Admins can use this feature.
You must initialize the Long-Running LRCTL service to work with Open Collectors and Beats in the Web Console. For instructions on how to initialize the service, see Configure Open Collector Connection to the SIEM.
To add a new Beat:
On the top navigation bar, click the Administration icon, and then click Log Collection.
The Log Sources page appears.
On the left side, click Beats.
The Beats page appears.
In the upper-right corner of the page, click + New Beat.
The New Beat workflow guides you through two (2) steps as you create your new Beat:
Select Beat Type - the type of Beat from which you want to collect logs.
Configure Beat - configure your Beat.
Select Beat Type
The following Beat types are currently supported in the Web Console:
Azure Event Hub
Carbon Black Cloud
Duo Authentication Security
Microsoft Graph API
The first workflow screen prompts you to select the type of Beat you want to create.
Enter text in the search box or scroll through the list to find the Beat type you want to add.
Click the Beat type.
A blue box appears around the selected Beat type.
The New Beat workflow advances to the second step and prompts you to configure the Beat.
The configuration screen appears. Enter the following fields:
Enter a name for the Beat.
Select the Open Collector the Beat will be installed on.
System Monitor Agent
Select the System Monitor Agent that the Open Collector will forward its data to.
The Required section contains required fields specific to each Beat type. For example, Client ID, API Key, Hostname, or URL Address. For more details on these required fields, see the documentation on how to initialize a specific Beat in Open Collector and Beats.
Default value = 1000
Number of Back Days
Default value = 7
Default value = 2
After entering the required information and selecting your desired options, click Save.
The new Beat is created and appears in the Beats Grid.