Breadcrumbs

Add a New Beat in Web Console

Only Global and Restricted Admins can use this feature.

You must initialize the Long-Running LRCTL service to work with Open Collectors and Beats in the Web Console. For instructions on how to initialize the service, see Configure Open Collector Connection to the SIEM.

To add a new Beat:

  1. On the top navigation bar, click the Administration icon, and then click Log Collection
    The Log Sources page appears.

  2. On the left side, click Beats.
    The Beats page appears.

  3. In the upper-right corner of the page, click + New Beat.

The New Beat workflow guides you through two (2) steps as you create your new Beat:

  • Select Beat Type - the type of Beat from which you want to collect logs.

  • Configure Beat - configure your Beat.

Select Beat Type

The following Beat types are currently supported in the Web Console:

  • AWS S3

  • Azure Event Hub

  • Carbon Black Cloud

  • Cisco AMP

  • Darktrace

  • Duo Authentication Security

  • Exabeam

  • Gmail Message Tracking

  • Google Workspace

  • Kafka

  • Microsoft Graph API

  • Mimecast SIEM

  • O365

  • Okta

  • Prisma Cloud

  • Proofpoint

  • PubSub

  • Qualys FIM

  • Salesforce Audit

  • SentinelOne

  • Sophos Central

Due to changes in the Sophos Central authentication strategy in July 2025, Sophos Beat instances configured in the Web Console will not function properly unless you are using LogRhythm SIEM version 7.21 or higher.

  • Symantec WSS

The first workflow screen prompts you to select the type of Beat you want to create.

  1. Enter text in the search box or scroll through the list to find the Beat type you want to add.

  2. Click the Beat type.
    A blue box appears around the selected Beat type.

  3. Click Next.
    The New Beat workflow advances to the second step and prompts you to configure the Beat.

Configure Beat

The configuration screen appears. Enter the following fields:

General

Field Name

Description

Name

Enter a name for the Beat.

Open Collector

Select the Open Collector the Beat will be installed on.

System Monitor Agent

Select the System Monitor Agent that the Open Collector will forward its data to.

Required

The Required section contains required fields specific to each Beat type. For example, Client ID, API Key, Hostname, or URL Address. For more details on these required fields, see the documentation on how to initialize a specific Beat in Open Collector and Beats.

Throttling

Field Name

Description

Data Limit

Default value = 1000

Number of Back Days

Default value = 7

Polling Interval

Field Name

Description

Period

Default value = 2

After entering the required information and selecting your desired options, click Save.

The new Beat is created and appears in the Beats Grid.