Enhancing Log Collection with LogRhythm OC Admin

New Open Collector 'Manage' page

The demand to consume data and telemetry across multiple sources has exploded in recent years. Without the ability to support a range of log sources, customers often lack visibility across their enterprise. Additionally, the need to understand how to write JQ pipelines to consume data from API sources, such as lightweight and flexible command-line JSON processors, is often challenging for users.

LogRhythm recognizes these limitations and has made strides to ease the challenges with log collection. As part of the April release of LogRhythm SIEM version 7.12, we made it easier for customers to onboard log sources and we’ve enhanced the workflow to drive efficiency.

Manage Open Collector

With LogRhythm SIEM version 7.12, customers can access a simple interface in Open Collector (OC) Admin. OC Admin automates the creation of log sources within the LogRhythm console, increasing the speed and simplicity of the overall user experience to reduce operational overhead. The addition of the API log sources paves the way for LogRhythm’s eventuate move to migrate the OC Admin service to the web UI.

With OC Admin, LogRhythm removed the need for users to write JQ pipelines by creating the easy-to-use interface to parse data and provide centralized management of deployed Open Collectors. Customers can now use a new “Action” icon on the OpenCollectors page. Customers can also access live statistics such as CPU, memory, network, storage and threads/processes consumption through OC Admin.

Action icon in Open Collector page
Figure 1: A new Action icon is available in the Open Collectors page/list


Each Open Collector provides a new page with live statistics (CPU, memory, network, storage, and threads/processes consumption)
Figure 2: Each Open Collector provides a new page with live statistics


Open Collector monitoring
Figure 3: Centralize Open Collector monitoring

Expanding Log Collection with New Beats

To fulfill customer and partner requests for additional log collection capabilities, LogRhythm expanded its log collection enabling customers to now consume data more easily and faster from API log sources and centrally manage the data.

LogRhythm added the following Beats:

  • Prisma
  • Symantec Web Secure Service (WSS)
  • Microsoft Graph API
  • Carbon Black Cloud
  • Cisco AMP
  • DUO
  • Proofpoint

Beats, which are free and open platforms for single-purpose data shippers, send data from machines and systems to logging systems such as Open Collector via a secure and backpressure aware protocol. Each Beat is designed to connect to one type of technology, with the goal of being specialized and as lightweight as possible.

As part of our ongoing commitment to excellence, customers and partners requested specific Beats through LogRhythm’s Innovation Portal. This capability allows customers to gain wider visibility into their enterprise and applications to further detect threats and potential operational anomalies.

Easing Open Collector Administration

Monitoring collectors across an enterprise is essential to ensure the right information is collected in a timely manner. As part of version 7.12, LogRhythm introduces light administration capabilities within OC Admin.

On the Open Collector Manage page, customers can perform a series of actions such as starting and stopping, importing and exporting full configuration, viewing in the UI high-level configuration, exporting logs as files, and viewing real-time logs in the UI.

Start and Stop in Open Collector
Figure 4: Start and stop or import and export full configuration on the Open Collector Manage page


Export logs as a file
Figure 5: Export logs as a file


View real time logs in the UI
Figure 6: LogRhythm added support for exporting and tracking internal Open Collector and Beats internal logs in real time

Further Enhancing OC Admin with UI Improvements

Having a good analyst experience is key when working with data, which is why Open Collector has been enhanced with new workflows and updates the user interface. OC Admin now features a breadcrumb bar to help you navigate the UI more easily offers a polished look to the workflow. The appearance more closely aligns to LogRhythm Axon, our cloud-native Software-as-a-Service (SaaS) security operations platform.

OC Admin UI enhancements
Figure 7: OC Admin offers new navigation improvements

Just Getting Started with Log Collection

The latest enhancements to our log collection capabilities serve as the foundation for bigger things to come. To deploy OC Admin or to learn more, visit the OC Admin documentation page.