Welcome to Logpoint Community

Hi

I can see that the process eval command supports the use of if-else statements, but I can’t find any examples of the syntax.

My issue is that I have logs which contain a source_address field, and host_address, and then I have some other logs which only contains host_address logs, and I would like to translate the IP to country from source_address if the field exists and else take it from host_address. So I tried to say if, source_address is null, then set source_address to host_address, else nothing.
|process eval(if(source_address=null, source_address=host_address,)

Please see our community guidelines below. The rules of the community can be updated as necessary. By registering as a LogPoint Community member, you accept the general terms and conditions LogPoint Terms of service and Community Guidelines.

R-E-S-P-E-C-T
LogPoint Community is a meeting place where everyone can give and get help. So let’s be nice to each other! We don’t use rude language, speak disrespectfully of others, or behave inappropriately in general.

This is a place for relaxed conversation and mutual support – all in good spirit! We don't judge, criticize or bad-mouth anyone.

Thank you goes a long way
If you bump into a helpful answer, good thinking, or just something nice, you can give a simple thank-you by clicking the Thank you / Like-button. By liking comments you can help other users to find useful advice and good conversation later.

Keep it private
LogPoint Community is an open space and anyone can join even if they are not LogPoint Employees, Customers, or Partners, so please be careful about your personal information. Do not, under any circumstances post or share (not even via private messages) any account numbers, license keys, phone numbers, physical addresses, email addresses, or any other sensitive personal information related to you and/or your organization and/or to your customers to any of the forum threads (not even via private messages). As a LogPoint Partner or Customer, you should always discuss account-specific issues, questions, tickets, and the likes containing any sensitive personal information related to you and/or your organization and/or to your customers with LogPoint Support on the LogPoint Service Desk. We advise you to always keep your posts general and excluding any sensitive personal information related to you and/or your organization and/or to your customers on the LogPoint Community. LogPoint A/S will not be liable to you or anyone else for any financial loss, loss of business, injury, or any other loss resulting directly or indirectly from the use of LogPoint Community or the services we offer, caused in whole or part by its negligence or compiling, interpreting, reporting, or delivering this site and any content through this site. In no event will LogPoint A/S or any of its employees and partners, be liable to you or anyone else for any decision made or action taken by you in reliance on such content. Should you fail to read or comply with our guidelines and suffer any losses being physical/financial/intellectual, loss of business or any other losses, in no event will LogPoint A/S or any of its employees and partners, be liable to you or anyone else for any decision made or action taken by you.

No spam
LogPoint Community is about customers helping each other out, not for promotion. Please don’t post any advertising, spam, junk mail, chain letters, or any other kind of solicitation.

Behave
You shouldn't in any situation post anything obscene, unlawful, harassing, threatening, harmful, abusive, or otherwise objectionable. Any post made in the forums is subject to moderation and can be edited or deleted if it violates these guidelines. It is furthermore strictly forbidden to discuss, disclose, dispute, or publish private discussions with our Moderators.

Relax, you're in good hands
If you spot a post that is against the rules, don’t respond to it. Just flag the post and our moderators will check the situation as soon as possible.

LogPoint Community is here for you!

Moderators can edit messages afterward or even delete messages. Moderators can delete messages with inappropriate content, personal insults, personal information, or other content that breaches the rules of LogPoint Community without warning.

Compliance with our rules is supervised by LogPoint moderators and any violation of these rules leads to a warning. We reserve the right to permanently lock your user codes after three warnings. LogPoint Community moderators are LogPoint employees.

Hi

What are the contents of the backup you can take from the LogPoint GUI? I can see there is both a Configuration and a Logs backup, but what’s the content of the Configuration backup?

Will it have e.g:​​​​​​

• Users
• Dashboards
• Applications
• Devices
• Norm/enrichment/routing policies

Hi

I know the following query can be used to create an alarm with devices that haven’t been sending logs
| chart count() by device_ip | search ‘count()’ = 0

However, in cases where I have multiple IP’s for a single device this won’t work as the ones not sending data will come up in the search result even though the device is sending data from another IP. Another case where I have issues, is when pulling data with for instance the O365 fetcher which will have device_ip of the localhost which will also be the case for the internal LogPoint logs. One way could be to create alerts on the individual repo’s with some specific characteristics, but I would like to avoid creating multiple alerts for the same to reduce search load.

Any ideas how to build a single alert for detecting devices not sending logs with multiple IP’s and fetchers not fetching any data?

Can I centrally control LogPoint Agents from my Director console?

Facing issues during the office365 fetcher configuration? In the table below we have discussed some of the frequently occurring issues and solutions.

First, make sure to open the following domains in the firewall:

1. login.windows.net
2. login.microsoftonline.com
3. manage.office.com

You need to adjust Logpoint Agent or the NxLog configuration to get ADFS logs ingested into Logpoint.

To do this, use the <Select Path="AD FS/Admin">*</Select> tag in the NxLog or Logpoint Agent configuration.

Furthermore, you will need to add a  Custom Category in LogPoint Agent as seen on the screenshot below.

Generally, LogPoint pulls the User and Group relationship data from the LDAP server that is being used.

Since there is a variation among LDAP server vendors on how the user-group relationship is represented, LogPoint requires data on how this mapping is done.

For instance, in case of Microsoft AD, each user will have an attribute called "memberOf" which contains all the groups the particular user belongs to.

While in case of OpenLDAP, the group will contain the attribute "member" which lists all users belonging to this group.

This  enables us to configure LogPoint depending on how user-group mapping is done on the LDAP server.

For example,

• If Group in LDAP contains information about its member in a field name "myMembers" then, you need to select the "Group Contains User Info" button and input "myMembers" in the text field.  In the "User Settings" section's "Group Mem attr", you will need to enter the name of the User attribute that the "myMembers" field contains.
• If User in LDAP contains information about the group it belongs to in the field "myGroups" then, you need to select the "User Contains Group info"  button and input "myGroups" in the text field.  In the "Group Settings" section's "Mem Group Attr", you will need to enter the name of the Group attribute that is contained by the "myGroups" field of the LDAP User.

I need to extract a field which is not getting normalized as it is part of a combined field. the value of the field is sounded by quote signs, but the process regex command doesn’t seem to get it when I put a backslash before the quote sign. Can I somehow escape the quotes in my regex?

Example, I want to extract the “from” field value
{
"Directionality": "Incoming",
"From": "do-not-reply@test-industry.dk",

Wrote the following regex: .*?From\"\:\s*?\"(?P<from>.*?)\"
but pasting it to | process regex(“.*?From\"\:\s*?\"(?P<from>.*?)\"”, msg) gives error and says “unbalanced quotes”

How are the User Risk Scores being calculated (“weighted totals”, “fuzzy logic”, ...)?

Hi,

How do you create a “multi line” normaliser, e.g. Java logs (stack traces) or JSON objects?

Hi experts,

Is there a postman collection for the REST API that I could use?

Hello all!

The docs portal https://docs.logpoint.com/docs/logpoint-agent/en/latest/Installing%20the%20Application.html mentions that we use TCP for communication between LPAgent and the Logpoint server. What can we do in case of UDP instead?

Hi

When you add multiple LogPoint instances to the same pool, do you still have the possibility to modify and create e.g. new devices on the individual instances, or will the configuration be added to all LogPoints in the pool?

Hello. Just as the question mentioned. I am fulfilling a use case that requires grouping integer values in steps of maybe 4, 10, or even more. I would like to use the step function, but it is not working as per the documentation mentioned at docs.logpoint.com

Can anyone point me towards the solution to grouping values / using the step function?

Is it a prerequisite to take the user training before joining the admin training?

I was trying to upload a patch to my director console but I got an error saying that the version is invalid. I also tried to upload a hotfix but getting the same error. Any ideas what is wrong?

The files I am trying to upload:
ThreatIntelligence_5.1.0.1.pak
logpoint_6.9.2 (1).pak

Hi

We are deploying Director to our existing environment to get a central control panel. Are there any preconditions I should be aware of?

• Does the Backend servers (I have 3) need to be exact same configuration with repos etc? or can they differ?
• Does the hardware specs need to be the exact same? one server was deployed later and thus has different hardware.

Hi

We are adding Director to our existing environment and I am wondering if I should include both Search Heads, Backend servers, and collectors in the Director pool? And should I devide them into different pools based on their function? e.g.

- pool_1: SH01, SH02
- pool_2: Backend_01, Backend02, Backend_03
- Pool_3: Collector_01

Or simply include all the servers in a single pool?
The collector is sending logs to all 3 backends, and the search heads are able to search in all 3 backends.

Hi

Is it possible to have two or more LogPoint servers with the same name in the same Director pool?

“LogPoint Operations Monitoring” is an additional service that LogPoint customers can subscribe to if they have limited resources to maintain the LogPoint system itself. With Operations Monitoring, a dedicated LogPoint team continually checks the overall system health of the LogPoint solution. We monitor the status of your system, including CPU usage, disk storage and I/O operations, to help detect and prevent failures and ensure maximum availability.

If there are any issues, our team will respond fast and with quality to avoid any operational disruptions of your LogPoint solution. Operations Monitoring frees up valuable resources so you can focus on other high-priority tasks.

Does anyone have some examples of the models that are used for the “Active Directory Authentication” data source? For example, does this depend on certain Event IDs being present in the logs, and if so how do they map to the models?

I have come across a query that ends up spitting out the month in text - I would have expected it to come out as a number, is that possible?

Many of our customers are still using older applications including plugins and dashboards. Its always been a hassle to migrating configuration from one Logpoint to another as for a successful migration we need exact versions of applications on both Logpoints. Configuration backup on Logpoint does not backup the application itself.  Is there any archive where we can find all the previous versions of the applications ?

Can I get some best practices to fine-tune my ZFS system?

One of our customers is going to add additional storage and extend an existing zfs pool. I couldn’t find any official documentation on this, so can anyone help me with the recommended steps to follow ?

Hello! Do we have any sort of FIM facilities available for Linux systems?

Sometimes, when creating a device, the configurations are not being pushed to the remote windows machines from LPAgent in Logpoint. What can be done?

One of our customers was asking if it's possible to add VPN logs as a data source for UEBA.

I had a question from a partner, Is there any kind of test for the certification after completion of the admin/user training?