Logpoint
Logpoint contains all the default Knowledge Base (KB) components and Logpoint plugins. Logpoint normalizes Logpoint audit events, Webserver Common Log Format events, and Kernel events and enables you to analyze the data using alerts, areports, and dashboards.
Key Information
To export data to Logpoint, use the Syslog collector on
port 514 in the Logpoint server.
Package Details
-
-
Normalization Packages
- LP_Logpoint
- LP_WebServer Common Log Format
- LP_Kernel
- LP_LogpointAlerts
- LP_Logpoint Audit
- LP_Logpoint Services
-
Alert Packages
- LP_Default License Grace State
- LP_Default License Invalid
- LP_Logpoint License Expiry Status
- LP_UEBA Storage Filling Soon
- LP_UEBA Storage Full
-
Dashboard Packages
- LP_Syslog
- LP_Audit Logs
- LP_Logpoint Director
- LP_Default
- LP_Logpoint Incidents
- LP_Logpoint Audit
- LP_Logpoint Security Incidents
-
Label Packages
- LP_Logpoint
- LP_WebServer Common Logs
-
Report Packages
- LP_PCI Compliance Report
- LP_DS484 Compliance Report
- LP_SOX Compliance Report
- LP_ISO Compliance Report
-
System Notification Plugins
- Disk Notification
- CPU Notification
- Memory Notification
- StorageSpaceMonitor
-
Authentication Plugins
- LDAP Authentication
-
Fetcher
- SNMP Fetcher
Enhancement
Description
Issue ID
Reference ID
Added LP_Director Console normalization package to normalize Director Console events.
KB-17101
-
Added signatures in LP_Logpoint to normalize audit logs generated from Director Console. Added labels in LP_Logpoint label package for audit logs generated from Director Console. Sample Dashboard
Installation
To install Logpoint:
- Download the .pak file from the Download section above.
- Go to Settings >> System Settings >> Applications.
- Click Import.
- Browse to the downloaded .pak file.
- Click Upload.
Supported Devices
- Webserver Common
- Kernel
- Logpoint Audit
Log Formats
Logpoint Audit Log
Semicolon-separated
2019-11-04_05:02:50 Logpoint INFO: plugin emailnotification; notification; updated; type=audit_log; source_address='::xxxx:1.1.1.1'; user='admin'
2021-03-22 07:04:41 Logpoint-132 INFO: LoggerPlugin; Alert received; type=alert_log; alert_name='Too mAny Logs'; incident_id='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; alertrule_id='xxxxxxxxxxxxxxxxxxxxxxxxxxxx'; life_id='life_xxxxxxxxxxxxxxxxxxxxxxxxxxxx'; alert_id='xxxxxxxxxxxxxxxxxxxxxxxxxxxx'; status='unresolved'; risk_level='critical'; description=''; detection_timestamp='1616396681.9865444'; timerange_start='1616392800'; timerange_end='1616396400'; repos='["127.0.0.1:5504"]'; query='*'; tid=''
Web Server Common
Expected Log Format
"%h %l %u %t \"%r\" %>s %b"
Mar 6 08:28:02 apache: 1.1.1.1 - - [06/Mar/2012:08:28:02 +0100] "GET /cms/en/contact_us HTTP/1.0" 200 14922 "http://www.Logpoint.com/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30"
Kernel Log
Key = value
13:06:46 ubuntu kernel: [4742881.976153] set_firewall; denied udp; IN=eth0 OUT= MAC=X:X:XX:XX:XX:XX:XX:XX:XX:XX SRC=X.X.X.X DST=XX.XX.X.XX LEN=XXX TOS=0x00 PREC=0x00 TTL=XX ID=XXXX PROTO=UDP SPT=XXXXXX DPT=XXX LEN=XX
Changes in the Previous Version
Changes in Logpoint v5.2.1
Enhancement
DescriptionIssue IDZendesk Support IDThe label package has been updated to apply the Incident label for the event where Action = "Alert received." KB-13315 42738, 49170, 50007, 54049 Changes in Logpoint v5.2.0
Enhancement
The application now includes the normalization package LP_Logpoint Audit, which supports Logpoint Web server audit logs that have been updated to handle a hostname.
SupportIf you have any queries or require assistance, please feel free to contact our support team:
Email: servicedesk@Logpoint.com
Phone: +45 7060 6100Best regards,
-
Normalization Packages
Comments
Article is closed for comments.