Welcome to Logpoint Community

I addition to the blog-post about LogPoint and Log4j update here: https://www.logpoint.com/en/blog/status-on-log4j-vulnerability-in-logpoint/ - LogPoint also created another Blog-Post on how a combination of tools and a defense-in-depth mindset will give organizations the ability to detect post-compromise activity and put a stop to the attack

Read it here: https://www.logpoint.com/en/blog/detecting-log4shell-requires-more-than-just-a-siem/

Regards,

Brian Hansen, LogPoint

VP, Customer Success

Dear LogPoint Partner and Customer.

Recently, a critical remote code execution vulnerability in Apache log4j  ( CVE-2021-44228 ), was discovered, affecting versions 2.0-2.14.1.

Vulnerability status of LogPoint products

At this time, we have determined that no LogPoint products are affected by the vulnerability.

For detailed information about the vulnerability status of each LogPoint product, please consult the table below. If you have any questions about the vulnerability, please contact LogPoint Support or LogPoint Community.

Details of vulnerability by LogPoint product

* Note: log4j v1.2.x is vulnerable to another vulnerability, that is only exploitable when using the class JMSAppender. While LogPoint uses log4j in version 1.2, JMSAppender is not used in LogPoint and we have actively attempted to exploit the vulnerability, confirming that in these cases log4j v1.2 is not vulnerable in the current deployment configuration.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228

Regards,

Brian Hansen, LogPoint

VP, Customer Success

Hello LogPoint Support / LogPoint Community,

regarding the news about the log4j 2 CVE-2021-44228, I’ve been wondering whether log4j Version 2 is in use in the LogPoint Core SIEM or other parts of your product suite.

Could you please evaluate this and inform us partners and customers about the probable impact of this CVE?

Thanks so much in advance,

Tobias Weidemann

HI Team.

We are checking for Integration documentation with LogPoint for the below products:

1.Okta

2.Saleforce

Do we have usecase package inbuilt ?

Hi Team,

Is it possible to integrate Logpoint -Incident page to ServiceNow.

We want to check  whether Logpoint has that capability.

Thanks

Satya

Hi Team,

How to setup “Device not sending logs “ alert in Logpoint and how to configure that alert to email like sftp setup.

Thanks

Satya

Hi Team,

Can we tag the device criticality in logpoint,

We are looking to create notification for critical and high severity devices.

Hi,

on my firewall I opened port 443 to destination customer.logpoint.com (172.67.190.81 and 104.21.76.59).

Now I see on the firewall that the server tries to open connections to the ip addresses 104.16.37.47 and 104.16.38.47 through port 443. Are these connections also needed?

Best regards,

Hans Vedder

Hello,

to get noticed when a device is no longer sending logs i created an alert that uses this search query:

device_ip in DG_AKTIVE_GERAETE | chart count() by device_name,device_ip | search 'count()' = 0

(AKTIVE_GERAETE is a device group i put all the devices in that should be monitored).

The alert runs every two hours and nearly every day at the same time (1am) i get an alarm per email that one of our firewalls didn’t send logs. I am pretty sure that is a false positive .

However, when clicking of the link in the email, i indeed see a hit.

But when searching again by clicking on search, there isn’t a hit anymore.

Displaying all logs from this device for the last 24 hours also does not show any missing logs for this time

So, as i said, pretty sure it is a false positive.

The alert is always triggered for the same device and always for the same timeframe (23pm and 1am) , so i was thinking that the LP wants me to somehow acknowledge it before stopping to trigger it. But i already marked and closed all incidents of the alarm at one point, but the next day the alarm was triggered again.

Here is the configuration of the alert:

Anybody got any ideas ? Am i missing something ? I know the next LP version will have the detection of inactive device “build in”, but i am curious what is going on here.

Andre

Hi

I need a description of the usage of cerificates in LogPoint

What are the recomandations?

Which certificate are stored where?

Which cautions should be taken when replacing certificates?

the location of each respective certificate

• HTTPS
• Syslog SSL
• LPA

Regards

Hans

Is it somehow possible to get runtime usage statistics from the normalizers?

What I want to see is:

How much time was spent within which Compiled Normalizer or Normalizer Package?

How many log messages where normalized with which Compiled Normalizer or Normalizer Package?

We have often seen performance issues due to poorly performing normalizer packages or compiled normalizers.

It would be much easier to figure out which normalizer is causing the performance issue here if you could see the above statistics.

This way you could identify runtime hotspots and perform optimizations.

Currently I do this manually by stopping a normalizer service and running it in the python debugger:

/opt/immune/bin/envdo /opt/immune/etc/env_bin/python -m pdb /opt/immune/installed/norm/apps/normalizer/normalizer.py /opt/immune/etc/config/normalizer_0/config.json

(Pdb)c
[wait a few seconds]
[press ctrl + c]
(Pdb)bt
(Pdb)list
(Pdb)display event
[check the currently processed log message]

Hi,

I’m trying to find some information about updating applications. I have, for example, the Office365 application at version 5.0.1, and want to update it. This is on a production LP. What is the update process for applications/plugins?

Many thanks

I’ve implemented some alerts by using Vendor Rules (via the “Use” action) and customizing them. But there is no action to share or change ownership of rules in the “Used Rules” view. Is it generally impossible to share those rules?

Maybe I don’t quite understand the purpose of “Used Rules”, shouldn’t the vendor rule by under “My Rules” once it has been customized?

Hi

One of the changes from LogPoint 5 to 6 I was exited to see implemented, was the support for session keepalive in the syslog collector.

Most people do not think that much about it, but I would say that it is part of ensuring a stable operating environment.

Doing a 'netstat -ano | grep 514' in the CLI you will probably get something like the below listed:(I have pasted in the headlines as well as they will not show using '| grep')

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
--------------
tcp6       0      0 :::514                  :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 172.20.20.20:514        172.20.10.107:50554    ESTABLISHED keepalive (7126.58/0/0)
tcp6       0      0 172.20.20.20:514        172.20.10.100:51662    ESTABLISHED keepalive (7126.58/0/0)
tcp6       0      0 172.20.20.20:514        172.25.20.42:50053      ESTABLISHED keepalive (7135.92/0/0)
---------------

This shows the tcp syslog connections and that they are supporting keepalive.

7126.58 is the remaining life in seconds for that specific session - And this is where I realized that maybe LogPoint introduced keepalive, but they kept standard config, but then again this is also a question of tailoring values for the specific installation.

To understand a bit more of this you can try pasting the following command sequence in the CLI.

sysctl \
net.ipv4.tcp_keepalive_time \
net.ipv4.tcp_keepalive_intvl \
net.ipv4.tcp_keepalive_probes

And you will now get something like the below.

-----------
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_intvl = 25
net.ipv4.tcp_keepalive_probes = 9
-----------

TCP 7200 seconds is the standard TCP session length, and for a bit of explanation on these values, TCP keep-alive timer kicks in after the idle time of 7200 seconds. If the keep-alive messages are unsuccessful then they are retried at the interval of 25 seconds. After 9 successive retry failure, the connection will be brought down.
If you want to know a bit more on TCP keepalive and DCD(Dead Connection Detection) 'https://tldp.org/HOWTO/TCP-Keepalive-HOWTO/index.html' is a good place to visit.

Knowing a bit about networks, I suspect that in most modern networks the communications between Log source and LogPoint Back-End/Collector/LPC-server will probably traverse one or more firewall or Load-Balancers, and here concurrent sessions are a scarce resource, and depending on firewall vendor default inactivity time-out for a session can be anything from 30 minutes to 1 hour, and Load-Balancers might even be more aggressive.
This typically result in sessions being torn down by the firewall or Load-Balancer, leaving initiating and receiving end without the knowledge their session has terminated.

You might recognize some of the symptoms like the below snippet of an 'nxlog.log'file:

---------------
2021-08-23 11:22:23 ERROR couldn't connect to tcp socket on 10.9.9.9:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
.
.
2021-10-14 09:50:12 ERROR couldn't connect to tcp socket on 10.9.9.9:514; No connection could be made because the target machine actively refused it.
.
.
.
2021-11-09 21:02:35 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2021-11-09 21:02:36 INFO connecting to 10.9.9.9:514
2021-11-09 21:02:57 INFO reconnecting in 2 seconds
2021-11-09 21:02:57 ERROR couldn't connect to tcp socket on 10.9.9.9:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2021-11-09 21:02:59 INFO connecting to 10.9.9.9:514
---------------

If you decide to do something about these issues, you can start out with investigating the communications path between you LogPoint Servers and your log sources, mapping inactivity time-out's and the decide for a optimal config of the TCP-stack on your LogPoint server.

Changing these values are not difficult at all.

Paste below sequence in to the CLI
----------
sysctl -w \
net.ipv4.tcp_keepalive_time=1500 \
net.ipv4.tcp_keepalive_intvl=60 \
net.ipv4.tcp_keepalive_probes=10
-----------

Above commands only changes the current config, but will disappear at reboot.
The way to make the change permanent is to edit the 'etc/sysctl.conf' pasting below lines at the end of the file.
---------
net.ipv4.tcp_keepalive_time = 1500
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 10
--------

The steps taken in this article does not just go for your LogPoint installation.
For my part I realized then years back, when I was troubleshooting intermittent failures in applications communicating with database severs.

Regards
Hans

Hi

I got this Python script from Mingma in LogPoint support, and think it is such a great utility, that it would be a pity if it is not available for others in the LogPoint community.

It makes a csv-file of the info from the 'Agents' section of the 'LogPoint Agent Plugin' listing:

"Device Name, Template, Source, Encryption, Last Config Update, Status"
This can be used for different purposes like for example documenting to the the Agents status to the customer.

Regards

Hans

Hi There!

Is there a way to have my logpoint server to use its url name instead of IP-address in the alert-mail search-link?

regards Fredrik

Hey,

I’m trying to find information on the required/recommended IOPS for both hypervisor-hosted LPs and cloud-hosted VMs.

Many thanks,

Hello,

I lost my password GUI  , I can access to logpoint just via CLI ,

How I can reset my GUI password

thanks

Hi,

since I installed Logpoint 6.12 three weeks ago, "/opt/makalu/storage" grew from 47 % to 89 %.

Does anyone have the same issue?

Best regards,

Hans Vedder

I want to define the KPI ( Key Performance indicators )for each equipment in the dashboard, how can I proceed?

Hi,

every hour my firewall loads a new antivir database. In normal case, I receive 24 logs a day. When the download fails, I don’t receive any log.

Now I want to be informed when the count of logs are less than 20 a day.

I tried the following:

norm_id=FortiOS event_category=kevent sub_category=update message="Update result: virus db:yes*"  | chart count() as "Count" by message | filter "Count" < 20

but this query doesn’t show my any results. I would like to see message and Count.

What should I modify?

Best regards,

Hans Vedder

Hi,

at

https://servicedesk.logpoint.com/hc/en-us/community/posts/360008777778-How-To-video-Using-GeoIP-with-LogPoint

Kalyan Bhetwal provided the following query:

norm_id=*  destination_address=* -destination_address in HOMENET  | chart count() by destination_address, country order by count() desc limit 10 | process geoip(destination_address) as country

To my comment “With the ‘new’ query it's not possible to make a drill down.” he wrote:

We will have a new feature in upcoming version of logpoint where the geoip used after chart count() will also be present in drilldown. This will solve the drilldown problem.

What about the new feature? At the moment, it’s still not possible to make a drill down.

I use Logpiont 6.12.1.

Best regards,

Hans Vedder

Im looking to import the various SCCM log files, but there doesnt appear to be a normaliser or an obvious way to do this. Has anyone else done this?

I’m mainly interested in the last client communication an the last patching updates and attempts as part of a bigger piece of work to compare last communications from various different sources.

Join us on the next Customer Success Roundtable session on October 21 3PM-4PM  CET and share your ideas and feedback directly with the VP of Customer Success on how to improve LogPoint products and services.

To register, simply send an email to customersuccess@logpoint.com

We are now launching the LogPoint Ideas portal and would like you to join. Simply click the link below and log in with your existing support credentials, easy as that you are now ready to submit and upvote feature requests. Alternatively, you can always access the Idea Portal from the Community, just go to: homepage→ upper right corner→click Idea Portal

Join here: https://logpoint.ideas.aha.io/

Hello,

i am facing following scenario:

I want to monitor web gui access to a device, especially the host a access was attempted from. However, most of the access attempts are done from different LANs, using web proxies. Hence, i only see the ip of the web proxies as the source ip of the login attempts.

I therefore like to use some kind of join to retrieve access attempts to the device, and then check the web proxies which ip was accessing the device IP at around that time (e.g. within two seconds). (I tried a join based on the exact same time, but this approach leaves out many events).

So basically, i need something like

[search1] as s1 followed by [search2] as s2 on s1.log_ts <= s2.log_ts + 2 seconds

Does any body know how i can accomplish this, or knows of  a different approach ?

Andre

Hi,

when I start a query

| chart min(log_ts) as min_ts  by min_ts, source_address, destination_address

I receive the error message:

could not convert string to float: '/'.

But why?

An example for log_ts: 2021/10/11 11:04:54

I use

| chart count() as "Count", min(log_ts) as min_ts, max(log_ts) as max_ts

in a macro and I am sure that in fewer versions of Logpoint I didn’t receive this error message.

Actually I use Logpoint version 6.12.0

Best regards,

Hans Vedder

HI,

i want to integrate many of the SIGMA Rules found here:

https://github.com/SigmaHQ/sigma

I was able to translate them into the Logpoint Query Language and Now i want to Import them as Alert Rules.

Doing each one by one manually in the GUI is a very time consuming/impossible Task.

Is there a Way to Import Alert Rules beside the .PAK Files? Or is there a Defintion how such a .PAK File looks?

Best Regards

Timo

Hi All,

Just wanted to remind you of the awesome opportunity to join our live session with Doron Davidson, LogPoint VP Global Services,  who will introduce LogPoint’s new capabilities to automate incident detection and response.

Join the session to:

• Learn how automatic response playbooks reduce the mean time to respond
• See a product demo of common use cases
• Understand the value of truly native response capabilities in LogPoint SIEM

Joining links:

Oct 5 for Partners: https://logpoint.zoom.us/webinar/register/WN_lSn4uIOsSPqlMrv03T4c1Q

Oct 7 for Customers: https://logpoint.zoom.us/webinar/register/WN_LwrLoaX5SgKLRF-A4l1Nsw

Oct 12 for Visitors: https://logpoint.zoom.us/webinar/register/WN_3Lf-tA0yTHKOa5cCyM1ATg

Join Sales Engineer @Nils Krumey on October 5 on a live session where he will demo how the new update to LogPoint can help security analysts react to and resolve threats quickly by knowing instantly which type of threat it is.

Join the knowledge session to:
- Learn how the new categorisation of alerts and incidents to the MITRE framework can speed up incident response
- See how you now can share search and report templates
- Understand how LogPoint is making it easy to route incidents to different SOAR playbooks based on the incident type

Register on the link below:
https://lnkd.in/ggg9pvMH