1. Logpoint Service Desk
  2. Community
  3. SIEM - Architecture & Configuration

Running LogPoint as Docker Container

Avatar
Follow
0

I just managed to run LogPoint as a docker image/container.

It is relatively simpel and could help improving testing systems, where you want to start from a fresh logpoint for each test, make the desired configurations, run the test and discard the changes at the end.

Our use case was developing a unit testing framework for alert rules.

  • Spin up the docker container
  • Configurate repo, routing policy, normalization policy, processing policy, device and syslog collector
  • Configurate the alert rule to test (test object)
  • Send some pre-defined logs via syslog to the docker-logpoint
  • Wait pre-defined time to see if the behaviour of the alert rule is as expected (triggers or doesn’t trigger)
  • Stop the docker container, discarding all changes (configuration, log storage, etc.)
  • Repeat with the next test scenario

Here is what I did to run logpoint in a container. I did this on a linux machine (debian 12) with docker.io installed:

  • Download latest OVA (here logpoint_7.4.0.ova)
  • Extract the OVA (which is a tarball at all)
    • tar xf logpoint_7.4.0.ova
  • Convert the VMDK disk image to a raw disk image with qemu-img
    • qemu-img convert -O raw LogPoint-7.4.0.vmdk LogPoint-7.4.0.raw
  • Figure out the start position of the LVM partition in the disk image
    • parted -s LogPoint-7.4.0.raw unit b print
    • Look for the start number of the 4th partition, copy it without the “B” at the end
  • Create a mountpoint where you mount the LVM partitions to
    • mkdir /mnt/rootfs
  • Create a loop device stating at the 4th partition postition we got from parted
    • losetup -o <START POSITION> -f LogPoint-7.4.0.raw
  • Mount the LVM LVs to our mountpoint
    • mount /dev/LogPoint-vg/root /mnt/rootfs/
    • mount /dev/LogPoint-vg/application /mnt/rootfs/opt/
    • mount /dev/LogPoint-vg/app_store /mnt/rootfs/opt/makalu/app_store/
    • mount /dev/LogPoint-vg/storage /mnt/rootfs/opt/makalu/storage/
  • Compress the whole filesystem into a gzip compress tarball for docker import
    • tar -czf image.tar.gz -C /mnt/rootfs/ .
  • Import the tarball as docker image
    • docker import image.tar.gz logpoint:7.4.0
  • Get the new logpoint docker image ID
    • docker images
  • Spin up a container and run an interactive shell inside the container
    • docker run --security-opt seccomp=unconfined --privileged --ulimit core=0 --ulimit data=-1 --ulimit fsize=-1 --ulimit sigpending=62793 --ulimit memlock=65536 --ulimit rss=-1 --ulimit nofile=50000 --ulimit msgqueue=819200 --ulimit rtprio=0 --ulimit nproc=-1 -p 8443:443 -p 8514:514 -p 822:22 -i -t <IMAGE ID> /bin/bash
  • Switch to the new less memory consuming shenandoah Java GC
    • sudo -u li-admin /opt/immune/bin/li-admin/shenandoah_manager.sh enable
  • Start the logpoint processes
    • /opt/logpoint/embedded/bin/runsvdir-start

I hope this helps some of you!

Share This Post:

1 comment

Date Votes

Please sign in to leave a comment.