Welcome to Logpoint Community

Generally, LogPoint pulls the User and Group relationship data from the LDAP server that is being used.

Since there is a variation among LDAP server vendors on how the user-group relationship is represented, LogPoint requires data on how this mapping is done.

For instance, in case of Microsoft AD, each user will have an attribute called "memberOf" which contains all the groups the particular user belongs to.

While in case of OpenLDAP, the group will contain the attribute "member" which lists all users belonging to this group.

This  enables us to configure LogPoint depending on how user-group mapping is done on the LDAP server.

For example,

• If Group in LDAP contains information about its member in a field name "myMembers" then, you need to select the "Group Contains User Info" button and input "myMembers" in the text field.  In the "User Settings" section's "Group Mem attr", you will need to enter the name of the User attribute that the "myMembers" field contains.
• If User in LDAP contains information about the group it belongs to in the field "myGroups" then, you need to select the "User Contains Group info"  button and input "myGroups" in the text field.  In the "Group Settings" section's "Mem Group Attr", you will need to enter the name of the Group attribute that is contained by the "myGroups" field of the LDAP User.

I need to extract a field which is not getting normalized as it is part of a combined field. the value of the field is sounded by quote signs, but the process regex command doesn’t seem to get it when I put a backslash before the quote sign. Can I somehow escape the quotes in my regex?

Example, I want to extract the “from” field value
{
"Directionality": "Incoming",
"From": "do-not-reply@test-industry.dk",

Wrote the following regex: .*?From\"\:\s*?\"(?P<from>.*?)\"
but pasting it to | process regex(“.*?From\"\:\s*?\"(?P<from>.*?)\"”, msg) gives error and says “unbalanced quotes”

How are the User Risk Scores being calculated (“weighted totals”, “fuzzy logic”, ...)?

Hi,

How do you create a “multi line” normaliser, e.g. Java logs (stack traces) or JSON objects?

Hi experts,

Is there a postman collection for the REST API that I could use?

Hello all!

The docs portal https://docs.logpoint.com/docs/logpoint-agent/en/latest/Installing%20the%20Application.html mentions that we use TCP for communication between LPAgent and the Logpoint server. What can we do in case of UDP instead?

Hi

When you add multiple LogPoint instances to the same pool, do you still have the possibility to modify and create e.g. new devices on the individual instances, or will the configuration be added to all LogPoints in the pool?

Hello. Just as the question mentioned. I am fulfilling a use case that requires grouping integer values in steps of maybe 4, 10, or even more. I would like to use the step function, but it is not working as per the documentation mentioned at docs.logpoint.com

Can anyone point me towards the solution to grouping values / using the step function?

Is it a prerequisite to take the user training before joining the admin training?

I was trying to upload a patch to my director console but I got an error saying that the version is invalid. I also tried to upload a hotfix but getting the same error. Any ideas what is wrong?

The files I am trying to upload:
ThreatIntelligence_5.1.0.1.pak
logpoint_6.9.2 (1).pak

Hi

We are deploying Director to our existing environment to get a central control panel. Are there any preconditions I should be aware of?

• Does the Backend servers (I have 3) need to be exact same configuration with repos etc? or can they differ?
• Does the hardware specs need to be the exact same? one server was deployed later and thus has different hardware.

Hi

We are adding Director to our existing environment and I am wondering if I should include both Search Heads, Backend servers, and collectors in the Director pool? And should I devide them into different pools based on their function? e.g.

- pool_1: SH01, SH02
- pool_2: Backend_01, Backend02, Backend_03
- Pool_3: Collector_01

Or simply include all the servers in a single pool?
The collector is sending logs to all 3 backends, and the search heads are able to search in all 3 backends.

Hi

Is it possible to have two or more LogPoint servers with the same name in the same Director pool?

“LogPoint Operations Monitoring” is an additional service that LogPoint customers can subscribe to if they have limited resources to maintain the LogPoint system itself. With Operations Monitoring, a dedicated LogPoint team continually checks the overall system health of the LogPoint solution. We monitor the status of your system, including CPU usage, disk storage and I/O operations, to help detect and prevent failures and ensure maximum availability.

If there are any issues, our team will respond fast and with quality to avoid any operational disruptions of your LogPoint solution. Operations Monitoring frees up valuable resources so you can focus on other high-priority tasks.

Does anyone have some examples of the models that are used for the “Active Directory Authentication” data source? For example, does this depend on certain Event IDs being present in the logs, and if so how do they map to the models?

I have come across a query that ends up spitting out the month in text - I would have expected it to come out as a number, is that possible?

Many of our customers are still using older applications including plugins and dashboards. Its always been a hassle to migrating configuration from one Logpoint to another as for a successful migration we need exact versions of applications on both Logpoints. Configuration backup on Logpoint does not backup the application itself.  Is there any archive where we can find all the previous versions of the applications ?

Can I get some best practices to fine-tune my ZFS system?

One of our customers is going to add additional storage and extend an existing zfs pool. I couldn’t find any official documentation on this, so can anyone help me with the recommended steps to follow ?

Hello! Do we have any sort of FIM facilities available for Linux systems?

Sometimes, when creating a device, the configurations are not being pushed to the remote windows machines from LPAgent in Logpoint. What can be done?

One of our customers was asking if it's possible to add VPN logs as a data source for UEBA.

I had a question from a partner, Is there any kind of test for the certification after completion of the admin/user training?

Question from a prospect, can the software be deployed on a SAP Solution Manager (SolMan) system?

Hi SAP Team, my customer has  SAP systems still running on Oracle databases but they would like to use LogPoint for SAP Extended which is certified for S/4HANA? Can you advise please?

What SIEM integrations are supported?

How long will a setup for 5 SIDs Extended take?

Hi SAP team,

How can I transfer the logs stored in files from the Core server to the SIEM?

Hi SAP team,

We  have already setup LogPoint for SAP Extended to cover the SAP application layer. Is there an official solution we recommend to monitor the SAP HANA database layer?

Hi SAP Team, my customer would like to receive all changes performed to a custom SAP table ZTABLE in the SIEM, so they can visualize or alert on incorrect or malicious modifications. Do we have documentation on the steps to perform to obtain that data in the SIEM?