To get the most out of your security information and event management (SIEM) solution, it’s crucial to focus on log collection. After all, log collection is the first step in log management. But if you don’t have a straightforward user interface to test and manage log sources, collection can be difficult.
That’s where LogRhythm can help. To improve the user experience for log collection, LogRhythm recently released a new Web UI called OC Admin, which runs on Open Collector, the service that parses JavaScript Object Notation (JSON) data. The new web-based UI eases the user experience and greatly reduces the time and effort it takes to configure, deploy, and manage log sources that require Open Collector. The UI is currently available to Open Collector users. The feature is part of LogRhythm version 7.11, which was generally available in January.
Previously, all interactions with Open Collector and its Beats took place from the command line. While the capability to collect from Cloud log sources has existed for some time, without a graphical interface, users found it difficult to use. LogRhythm has made it even easier for customers to manage Open Collector.
OC Admin Features
The UI now features an easy-to-use graphical interface to help users more easily manage log sources collected by Open Collector. Using OC Admin enables analysts to save time to configure a Beat. Now users no longer need to manually re-enter all the parameters when prompted by Open Collector’s command line tool.
Multi language support
Since LogRhythm’s customer base covers all key continents, it was crucial to offer multi language support for the appropriate regions.
Multiple Open Collector management
Once OC Admin is deployed on one Open Collector, users don’t need to deploy it on every single Open Collector. Analysts can connect to any other ones and configure them remotely.
Beat configuration
The configuration of the Beats is now graphical. The configuration fields are grouped in related sections that can collapse for clarity. All fields provide their own documentation, including examples where applicable.
Live Tail and graphical log data parsing
The beauty of the configuration of the parsing is that it doesn’t require analysts to know any parsing language, such as Regex or JQ. This is now handled in a graphical manner. First the user starts a Live Tail, that in turn applies the Pipeline configuration to a Beat and grabs the real output live to display it in a normalized manner on screen, for each field in their respective frequencies.
Once live data is gathered, analysts can look for the fields that are available in the log message and see what the most common content samples are and sort them by frequency. Finally, analysts can map to one of the SIEM fields using a fully searchable drop down.
The UI will search for the user term in both the field tag, its full name and documentation.
Marketplace
A new feature of OC Admin is that it comes with a built-in EZ Marketplace that allows users to share their Pipelines as templates. Users can then browse the available Pipeline Templates and decide to either use parts or a whole Template to complement an existing or create a new local Pipeline.
Stay tuned for more log collection and updates
This is just the beginning of more exciting things to come for OC Admin. Be on the lookout for additional announcements including new Beats and new functionality for OC Admin coming soon.