SIEM - Architecture & Configuration

Wir haben einen Kunden, der das neue Feature zum Hochladen der SSL/TLS Zertifikate für den Syslog Collector über die Web Oberfläche genutzt hat.

Does this have any effect on the certificates used by OpenVPN?

Because currently, after configuring the Distributed LogPoint, we see in the OpenVPN client log ( /opt/immune/var/log/service/remote_con_client_xx.xx.xx.xx/current ) that the certificate cannot be verified:

2022-01-04_11:12:48.10967 Tue Jan  4 11:12:48 2022 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: XXX

Hi,

on my firewall I opened port 443 to destination customer.logpoint.com (172.67.190.81 and 104.21.76.59).

Now I see on the firewall that the server tries to open connections to the ip addresses 104.16.37.47 and 104.16.38.47 through port 443. Are these connections also needed?

Best regards,

Hans Vedder

Hi

I need a description of the usage of cerificates in LogPoint

What are the recomandations?

Which certificate are stored where?

Which cautions should be taken when replacing certificates?

the location of each respective certificate

• HTTPS
• Syslog SSL
• LPA

Regards

Hans

Hi

One of the changes from LogPoint 5 to 6 I was exited to see implemented, was the support for session keepalive in the syslog collector.

Most people do not think that much about it, but I would say that it is part of ensuring a stable operating environment.

Doing a 'netstat -ano | grep 514' in the CLI you will probably get something like the below listed:(I have pasted in the headlines as well as they will not show using '| grep')

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
--------------
tcp6       0      0 :::514                  :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 172.20.20.20:514        172.20.10.107:50554    ESTABLISHED keepalive (7126.58/0/0)
tcp6       0      0 172.20.20.20:514        172.20.10.100:51662    ESTABLISHED keepalive (7126.58/0/0)
tcp6       0      0 172.20.20.20:514        172.25.20.42:50053      ESTABLISHED keepalive (7135.92/0/0)
---------------

This shows the tcp syslog connections and that they are supporting keepalive.

7126.58 is the remaining life in seconds for that specific session - And this is where I realized that maybe LogPoint introduced keepalive, but they kept standard config, but then again this is also a question of tailoring values for the specific installation.

To understand a bit more of this you can try pasting the following command sequence in the CLI.

sysctl \
net.ipv4.tcp_keepalive_time \
net.ipv4.tcp_keepalive_intvl \
net.ipv4.tcp_keepalive_probes

And you will now get something like the below.

-----------
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_intvl = 25
net.ipv4.tcp_keepalive_probes = 9
-----------

TCP 7200 seconds is the standard TCP session length, and for a bit of explanation on these values, TCP keep-alive timer kicks in after the idle time of 7200 seconds. If the keep-alive messages are unsuccessful then they are retried at the interval of 25 seconds. After 9 successive retry failure, the connection will be brought down.
If you want to know a bit more on TCP keepalive and DCD(Dead Connection Detection) 'https://tldp.org/HOWTO/TCP-Keepalive-HOWTO/index.html' is a good place to visit.

Knowing a bit about networks, I suspect that in most modern networks the communications between Log source and LogPoint Back-End/Collector/LPC-server will probably traverse one or more firewall or Load-Balancers, and here concurrent sessions are a scarce resource, and depending on firewall vendor default inactivity time-out for a session can be anything from 30 minutes to 1 hour, and Load-Balancers might even be more aggressive.
This typically result in sessions being torn down by the firewall or Load-Balancer, leaving initiating and receiving end without the knowledge their session has terminated.

You might recognize some of the symptoms like the below snippet of an 'nxlog.log'file:

---------------
2021-08-23 11:22:23 ERROR couldn't connect to tcp socket on 10.9.9.9:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
.
.
2021-10-14 09:50:12 ERROR couldn't connect to tcp socket on 10.9.9.9:514; No connection could be made because the target machine actively refused it.
.
.
.
2021-11-09 21:02:35 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2021-11-09 21:02:36 INFO connecting to 10.9.9.9:514
2021-11-09 21:02:57 INFO reconnecting in 2 seconds
2021-11-09 21:02:57 ERROR couldn't connect to tcp socket on 10.9.9.9:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2021-11-09 21:02:59 INFO connecting to 10.9.9.9:514
---------------

If you decide to do something about these issues, you can start out with investigating the communications path between you LogPoint Servers and your log sources, mapping inactivity time-out's and the decide for a optimal config of the TCP-stack on your LogPoint server.

Changing these values are not difficult at all.

Paste below sequence in to the CLI
----------
sysctl -w \
net.ipv4.tcp_keepalive_time=1500 \
net.ipv4.tcp_keepalive_intvl=60 \
net.ipv4.tcp_keepalive_probes=10
-----------

Above commands only changes the current config, but will disappear at reboot.
The way to make the change permanent is to edit the 'etc/sysctl.conf' pasting below lines at the end of the file.
---------
net.ipv4.tcp_keepalive_time = 1500
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 10
--------

The steps taken in this article does not just go for your LogPoint installation.
For my part I realized then years back, when I was troubleshooting intermittent failures in applications communicating with database severs.

Regards
Hans

Hey,

I’m trying to find information on the required/recommended IOPS for both hypervisor-hosted LPs and cloud-hosted VMs.

Many thanks,

I want to define the KPI ( Key Performance indicators )for each equipment in the dashboard, how can I proceed?

Im looking to import the various SCCM log files, but there doesnt appear to be a normaliser or an obvious way to do this. Has anyone else done this?

I’m mainly interested in the last client communication an the last patching updates and attempts as part of a bigger piece of work to compare last communications from various different sources.

Hi, i am just wondering if there was any plans to include any form of case management with the product.

We are currently commenting on incidents an a structure way to allow us to search back through them, but having the ability to save multiple logs which relate to an investigation for the purposes of escalation or handover or to even store outside of the various repos to have a log retention period would be so useful. I know that this is possible currently through exporting the logs out, but these take the raw logs out of logpoint which is not as useful.

Without wanting to point to another vendor, LogRhythm have similar case management functionality which allows you to add certain logs into a case/investigation for ease.

Hi

Today I have a Python script for exporting devices in to a csv-file with the following fields:

device_name,device_ips,device_groups,log_collection_policies,distributed_collector,confidentiality,integrity,availability,timezone

Does a script exist that also extract the additional fiels:

uses_proxy , proxy_ip , hostname

This will make moving devices from LogPoint 5 to LogPoint 6 considerably more easy.

Regards

Hans

In our internal research team we obsevered that it is of extremly high importance to have the logs of the client systems collected in your SIEM. Especially of the windows systems, in the best case with sysmon together with a sophisticated sysmon configuration.

The majority of large scale “attacks” doesn’t utilize any strange “cyber hacking voodoo”, but uses simple “human naivity” as initial code execution trigger. Like a “mouse click” to “enable content” of a microsoft office document with VBA macros, which was delivered via email from the attackers. The following malware download, its execution, reconnaissance and lateral movement steps can be easily detected with a good sysmon configuration. And this in “real time”, before any harm was done or your IDS may throw alerts.

The main issue is, that clients are typically flexible/mobile systems, which are connecting your enterprise network via different network IP ranges (several LANs, Wifi, VPN, WAN etc.).

As the current logpoint design requires either static IPs or whole network ranges, this completely blows up the license model, as you may have a /21 network (for example) with only 100 active devices in it.

I added a feature request a while back, where I request to re-design the LPagent, or, to be more specific, the logpoint configuration module on top of the nxlog used as LPagent.

At the moment the LPagent is inconvenient, as it runs a web server on the log source/device/client to accept connections from the logpoint datanode, which then pushes the nxlog configuration to the log source. This requires windows firewall rules for incoming connections etc.

Also this is only possible with static IP devices, because the LP datanode acts as HTTP client and thus needs to know the unique device IP to connect to its web server and push the nxlog config. So this eliminates the usage on the flexibel client systems.

My idea was to replace the web server by a web client in the first place, so that the LPagent is connecting to the LP datanode (or multiple for load balancing or network separation), instead of the other way around. This reduces the complexity of the LPagent enormously and resolves the firewalling and the static IP issue.

On the LP datanode side, an agent authentication token should be generated (either one for all devices, or for device groups) and an API endpoint has to be implemented, which accepts connections from LPagents from different configurable IP networks.
The LPagent shall receive the agent authentication token during its installation (either in the installer GUI or as CLI parameter so it could be done via group policy or central software control solutions). This token could then be used to make an initial agent configuration and identification (e.g. with exchanging a TLS client certificate, agent/client UUID etc.).

This would solve the license and IP issue on the LP datanode side, as the LP datanode then could see the total number of individual active devices according to the agent identification (e.g a agent UUID) and claim the correct amount of licenses. So the LPagent would become IP independent, when using the agent authentication token.

Even WAN log collection could be possible then (via specially secured connection of course) if you place a collector in your DMZ.

So my question to the community is: Are you collecting logs from clients, and if so, how are you doing it?

My only idea at the moment is to use nxlog 5 with a manual configuration, and add multiple collector IPs (this is possible since nxlog 5) for the different possible networks (LAN, VPN, Wifi...). But this would explode the license number, if you have a large network.

Can we install Logpoint in AIX machine 7.2?

Does the LDAP Authentication support nested groups from AD?

Hi

What are the contents of the backup you can take from the LogPoint GUI? I can see there is both a Configuration and a Logs backup, but what’s the content of the Configuration backup?

Will it have e.g:​​​​​​

• Users
• Dashboards
• Applications
• Devices
• Norm/enrichment/routing policies

Many of our customers are still using older applications including plugins and dashboards. Its always been a hassle to migrating configuration from one Logpoint to another as for a successful migration we need exact versions of applications on both Logpoints. Configuration backup on Logpoint does not backup the application itself.  Is there any archive where we can find all the previous versions of the applications ?

Can I get some best practices to fine-tune my ZFS system?

One of our customers is going to add additional storage and extend an existing zfs pool. I couldn’t find any official documentation on this, so can anyone help me with the recommended steps to follow ?

Hello! Do we have any sort of FIM facilities available for Linux systems?

Sometimes, when creating a device, the configurations are not being pushed to the remote windows machines from LPAgent in Logpoint. What can be done?

When LogPoint receives “old” logs, it buffers them in the OldLogsKeeper directory.

What is the threshold of max oldest logs which still get processed in the normal way and not stored by the "old log keeper"?

When using the LogPoint Collector with buffering, where does the collector buffer the log? Is it possible to change the directory to another mountpoint? And how big is the buffer ?

Hi Team, do we have some pointers about the advantages of ZFS compared to EXT4 filesystem and why customers should use it to store Repo data ?

Hi Team,

My customer wants  to forward LogPoint logs through syslog protocol to an external SOC. What are the best options to do this ?

I get this question often. What is our official reply?

• How can one change the IP address of a LogPoint appliance?

Is it safe to provide the root privilege of Logpoint to our customers? Do we have to look for any security concerns while doing so? Has it been done before ?

One of our customers forget the admin user credential and we need to reset the password for the user. Please let me know if there is any way around to do this?

Some of our customers have requested logs from Google Workspace. The logs requirements range anywhere from email logs to drive usage logs. What features do we have currently to work on these sort of logs?

I could not see any features mentioned in the LP Help center. Are we working on this one?

What is the difference between SNMP fetcher and SNMP trap collector and what should i use to get health information using SNMP?

What do we advise customers when there is a change in theorganizational domain but the log consists of old domain. For example : the system are extracting logs linked to the old email address like @immunesecurity.com, but in AD it is @logpoint.com.

In the case where we need to transfer files between collectors to a data node where there is no other network connectivity than a VPN tunnel between two. Is it possible to transfer files between them? If how and using which tools and protocols?

IT Operations and Monitoring has always been a crucial aspect of security for any organization. SIEM, a security incident and event management solution today needs to do much more than what it used to do, manage incidents and events.

Modern SIEMs are versatile solution covering not only your SOC demands but also provides rich visibility and accounting of NOC demands.

A typical enterprise network contains routers, switches, wireless APs, firewalls and so on. For a NOC team the availability of the devices and the performance metrics are very important information. NOC team generally use network monitoring tools in order to constantly monitor the said important informations. Modern SIEMs enables to put the NOC team under the same umbrella as the SOC.

Modern SIEMs provides visualizations, alerting and reporting capabilities for security/network events and incidents as well as real time network health related information like: Uptime, Memory/CPU Utilization, interface Tx/Rx, wireless client counts and so on. On top of that Logpoint also has a role based access control such that you can efficiently manage the SOC and NOC users.