To get the most out of your security information and event management (SIEM) solution, it’s crucial to focus on log collection. Afterall, log collection is the first step in log management. But if you don’t have a straightforward user interface to test and manage log sources, collection can be difficult.

That’s where LogRhythm can help. To ease the user experience for log collection, LogRhythm recently released a new Web UI called OC Admin, which runs on Open Collector, the service that parses JavaScript Object Notation (JSON) data. The new web-based UI eases the user experience and greatly reduces the time and effort it takes to configure, deploy, and manage log sources that require Open Collector. The UI is currently available to Open Collector users — and coming soon for LogRhythm Cloud. The feature is part of LogRhythm version 7.11, which was generally available in January.

Previously, all interactions with Open Collector and its Beats took place from the command line. While the capability to collect from Cloud log sources has existed for some time, without a graphical interface, users found it difficult to use. LogRhythm has made it even easier for customers to manage Open Collector.

OC Admin Features

The UI now features an easy-to-use graphical interface to help users more easily manage log sources collected by Open Collector. Using OC Admin enables analysts to save time to configure a Beats configuration. Now users no longer need to manually re-enter all the parameters when prompted by Open Collector’s command line tool.

Figure 1: OC Admin features a graphical user interface

Multi language support

Since LogRhythm’s customer base covers all key continents, it was crucial to offer multi language support for the appropriate regions.

Figure 2: OC Admin is available in over 10 languages

Multiple Open Collector management

Once OC Admin is deployed on one Open Collector, users don’t need to deploy it on every single Open Collector. Analysts can connect to any other ones and configure them remotely.

Figure 3: OC Admin features multiple Open Collector management

Beat configuration

The configuration of the Beats is now graphical. The configuration fields are grouped in related sections that can collapse for clarity. All fields provide their own documentation, including examples where applicable.

Figure 4: UI-driven simplified configuration of the log collection

Figure 5: Example of the built-in documentation for one of the log collection configuration fields – Authentication Type

Figure 6: Example of the built-in documentation for one of the log collection configuration fields – Cursor Type

Figure 7: Example of the built-in documentation for two of the log collection configuration fields – Start Field and Start Value

Figure 8: Example of the built-in documentation for one of the log collection configuration fields- Response Data Field

Live Tail and graphical log data parsing

The beauty of the configuration of the parsing is that it doesn’t require analysts to know any parsing language, such as Regex or JQ. This is now handled in a graphical manner. First the user starts a Live Tail, that in turn applies the Pipeline configuration to a Beat and grabs the real output live to display it in a normalized manner on screen, for each field in their respective frequencies.

Figure 9: OC Admin handles parsing graphically freeing analysts from having to understand parsing language

Once live data is gathered, analysts can look for the fields that are available in the log message and see what the most common content samples are and sort them by frequency. Finally, analysts can map to one of the SIEM fields using a fully searchable drop down.

Figure 10: Users can search through field available in the log message and sort them by frequency

The UI will search for the user term in both the field tag, its full name and documentation.

Figure 11: The UI performs a complete search

Marketplace

A new feature of OC Admin is that it comes with a built-in EZ Marketplace that allows users to share their Pipelines as templates. Users can then browse the available Pipeline Templates and decide to either use parts or a whole Template to complement an existing or create a new local Pipeline.

Figure 12: OC Admin users can import templates shared by others, based on their own Pipelines in the Marketplace

Figure 13: OC Admin can bring a Marketplace template into a brand new local Pipeline, or import parts of it in an existing one

Figure 14: Customize the name of the new Pipeline and select which parts of the Pipeline Template to import

Figure 15: Select which existing Pipeline you want to augment with the content of the Pipeline Template

Stay tuned for more log collection and updates

This is just the beginning of more exciting things to come for OC Admin. Be on the lookout for additional announcements including new Beats and new functionality for OC Admin coming soon.

The post Easing Log Collection with LogRhythm’s OC Admin appeared first on LogRhythm.

*** This is a Security Bloggers Network syndicated blog from LogRhythm authored by Kelsey Gast. Read the original post at: https://logrhythm.com/blog/easing-log-collection-with-logrhythms-oc-admin/