1. Logpoint Service Desk
  2. Community
  3. SIEM - Searching & Analytics

Is it possible to create a device group with devices on a remote LP ?

Avatar
Follow
0

Hello,

as the title says i was wondering whether devices that are configured as a log source on a remote LP can be added to a devices group configured on the local LP?

Our network is divided into two locations connected via a MPLS connection, and to prevent devices sending their logs over the MPLS line we configured a LP at each location and added one LP as a remote LP into the other LP (our “main LP”).

I would like to create an alert on our “main LP” to notify us when a deviceis  no longer sending logs. Hence i would like to create a device group on the “main LP” containing all the devices the alert should “monitor”, but i am unable to add devices that are configured as log sources on the remote LP. As far as i understand the documentation, it is possible when using LP Director (which we do not have), but not possible in our scenario. Just  would like to confirm this and that i have to create an altert on both LP monitoring the “local” log sources.

Share This Post:

4 comments

Date Votes
0
Avatar
Nils Krumrey

A device group is just a logically concept (a list, really), and it is configured on each LogPoint node individually. I’m pretty sure that a device group indeed cannot include devices from another LogPoint node; it would have its own, local device groups.

However, that shouldn’t prevent you from running queries and alerts against the other node and its devices, as the device groups aren’t necessary to do that. The query I use to find devices not sending logs is 

| chart count() by device_name, device_ip ORDER BY count() DESC | filter "count()" = 0 | fields device_name, device_ip, count()

so by running that from your “main” LogPoint against the repos on the main and the remote LogPoint you should get a result for all devices not sendings logs on either. To make it a bit more convenient, you could create you own version of a Device Group as a LogPoint list on your main server, and for example call it MY_WINDOWS_DEVICES, then include the name of all your Windows devices on that list, and modify the query to: 

device_name IN MY_WINDOWS_DEVICES | chart count() by device_name, device_ip ORDER BY count() DESC | filter "count()" = 0 | fields device_name, device_ip, count()

Turning all of that into an alert is a bit trickier, but hopefully it gives you a starting point.

0
Avatar
Rupsan Shrestha

Just to add to what Nils said, This can be done by setting up a distributed Logpoint. You need to enable open door on the remote LP and configure that LP as a distributed LP in the main LP. (This is different from LP Director)

This will enable you to access the repositories from the “remote Logpoint” from the “main Logpoint” and run the queries that Nils suggested.

Hope this makes sense.

You can check this link for detailed information:

https://docs.logpoint.com/docs/distributed-logpoint/en/latest/

0
Avatar
Andre Kurtz

Thanks Nils,

we only had one LP till a couple of weeks ago and i was using device groups as i think its the most comfortable way (in sense of easiest to set up)  to limit queries to a set of devices. I already had a hunch that they are only applicable to local devices, but wanted to make sure. As you suggested, i think the next best thing is to “group” devices using lists now, which i will do.

0
Avatar
Andre Kurtz

Just to add to what Nils said, This can be done by setting up a distributed Logpoint. You need to enable open door on the remote LP and configure that LP as a distributed LP in the main LP. (This is different from LP Director)

This will enable you to access the repositories from the “remote Logpoint” from the “main Logpoint” and run the queries that Nils suggested.

Hope this makes sense.

You can check this link for detailed information:

https://docs.logpoint.com/docs/distributed-logpoint/en/latest/

Thanks Rupsan, we already implemented our LP environment the way you describe and it works as you say.

Please sign in to leave a comment.