You must initialize the Long-Running LRCTL service to work with Log Sources associated with Beats in the Web Console. For instructions on how to initialize the service, see Configure Open Collector Connection to the SIEM.
To add a new Log Source:
On the top navigation bar, click the Administration icon, and then click Log Collection.
The Log Sources page appears.
At the top of the page, click + New Log Source.
The New Log Source workflow appears.
The New Log Source workflow guides you through three (3) steps as you configure your new Log Source:
Select Type - Log Source Type associated with the Beat from which you want to collect logs.
Select Beat - Beat from which you want to collect logs.
Settings - configure your Log Source.
Select Log Source Type
The first workflow screen prompts you to select the Log Source Type for your new Log Source.
Enter text in the search box or scroll through the list to find the Log Source Type you want to add.
Click the Log Source Type.
A blue box appears around the selected Log Source Type.
Only supported Log Source Types are displayed. The Client Console should be used to for all other new log source configuration.
The New Log Source workflow advances to the second step and prompts you to select a Beat.
Existing Beats appear in the grid. This list contains only the Beats that are associated with the Log Source Type you selected in the first step of the workflow.
Click the row for the Beat you want to associate with the new Log Source.
The selected row is highlighted in blue.
The New Log Source workflow advances to the third step and prompts you to configure settings.
The settings screen appears. In the Attributes section, the following fields appear (An asterisk (*) indicates a required field):
Log Source Name*
Enter the name of your Log Source (required).
Enter a description for your Log Source (optional).
The System Monitor Agent associated with the Beat you selected in step two of the workflow.
Log Source Type
The Log Source Type you selected in step one of the workflow.
Select the MPE Policy you want to use for collection of the Log Source (required).
In the Additional Setting section, the following options appear (An asterisk (*) indicates a required field):
Silent Log Source Alerts
Click the check box to enable silent Log Source alerts, then specify when to issue a warning and an error.
Click the check box to start collection from the beginning of the log.
Max Message Count*
Specify the maximum message count (required).
Log Data Management and Processing
Click the check boxes for the options you want to enable.
After entering the required information and selecting your desired options, click Save.
The new Log Source is created and appears in the Log Source Grid.