SIEM - Health Monitoring & Troubleshooting

Hi,
I am reaching out to you regarding an issue I'm experiencing with the disk storage logs. It seems that for the past week, I have not been receiving any logs pertaining to disk storage. I would greatly appreciate it if you could kindly inform me about the possible reasons behind this.

Thank you in advance.

Siawash

Hi!

I have a question about signification “ FileRecycled ”. In fact, in my dashboard I see action= FileRecycled but I can’t understand what exacly it means ! Could please explain me what it means ?

Thank you in advance for your reply.

Best regards,

Siawash

I’ve built a search query that joins two streams/searches.

In the end I do some processing, and rename fields as needed, in my alert I added the renamed fields in my Jinja template, but when I receive the e-mail the fields come up blank.

My rule looks a bit like this:

[..] as s1 followed by [..] as s2 on s1.user=s2.user | process geopip(s2.source_address) | rename log_ts as tidspunkt_ts, s2.user as bruger, s2.machine as computernavn, s2.os_version as OS, s2.source_address as IP, country_name as land, city_name as 'by'

My e-mail notification looks like this:

Subject:

{{alert_name}} - {% if rows|length is gt 1 %}{{rows|length}} users connected{% else %}{{rows[0].bruger}} connected {% endif %}

Message:

{% for row in rows %}
<ul>
<li><b>Timestamp: </b>{{row.tidspunkt_ts}}</li>
<li><b>Brugernavn: </b>{{row.bruger}}</li>
<li><b>Brugerens Computernavn: </b>{{row.computernavn}}</li>
<li><b>Brugerens OS: </b>{{row.OS}}</li>
<li><b>Brugerens IP: </b>{{row.IP}} ({{row.land}}, {{row.by}})</li>
</ul>
{% endfor %}

The search works fine, the jinja template does see 9 elements in the list, my template is repeated nine times, but the place where the property should appear contains no text.

Am I missing something obvious or does the rename command not effect the output to the Jinja template?

Hi friends,

I have the problem that the storage folder is now over 90% full.

Now I wanted to empty the folder using bash commands directly in the disk notification and have applied the following to "Command:": find /opt/makalu/storage/ -type f -mtime +30 -delete

Unfortunately without success, the folder grows and grows. Do you have a tip or a solution for this?

Thank you in advance and kind regards

How can we get report or dashboard how many rules triggered overall in logpoint

Hi

Has there been some changes in the implementation of Python in LogPoint 7.

I have a script 2 scripts that ran without errors in LogPoint 6 but now I get:

--

Traceback (most recent call last):
File "device_export_lp6.py", line 17, in <module>
from pylib import mongo
ModuleNotFoundError: No module named 'pylib'

--

Regards

Hans

Hi Team,

Could you please help us creating health alert like CPU 95% and memory usage is more than 80% in Logpoint.

Thanks &Regards

Satya

I wanted to share on the community how you can use an Alert rule to populate a dynamic list.

1. Create the Dynamic list you want to populate
2. Age limit on the Dynamic list is how long the data from the Alert will stay in the dynamic list before the values are removed
3. Create the Alert that can populate the dynamic list
4. Search Interval: Defines how often the the search is running on the LogPoint. Every search interval it will update the dynamic list if it finds new values or prolong existing values in the dynamic list
5. You can set the condition on the Alert to be something like Trigger: condition: Greater than "99999" for it to never fire to the incidents view.
6. However the Alert still needs to find results in the | process toList() part of the search query to populate the Dynamic List.

This is a way to use an alert to automate the process of populating a dynamic list without the alert firing and     cluttering the incidents view.

/Gustav

Is it somehow possible to get runtime usage statistics from the normalizers?

What I want to see is:

How much time was spent within which Compiled Normalizer or Normalizer Package?

How many log messages where normalized with which Compiled Normalizer or Normalizer Package?

We have often seen performance issues due to poorly performing normalizer packages or compiled normalizers.

It would be much easier to figure out which normalizer is causing the performance issue here if you could see the above statistics.

This way you could identify runtime hotspots and perform optimizations.

Currently I do this manually by stopping a normalizer service and running it in the python debugger:

/opt/immune/bin/envdo /opt/immune/etc/env_bin/python -m pdb /opt/immune/installed/norm/apps/normalizer/normalizer.py /opt/immune/etc/config/normalizer_0/config.json

(Pdb)c
[wait a few seconds]
[press ctrl + c]
(Pdb)bt
(Pdb)list
(Pdb)display event
[check the currently processed log message]

Hi

I got this Python script from Mingma in LogPoint support, and think it is such a great utility, that it would be a pity if it is not available for others in the LogPoint community.

It makes a csv-file of the info from the 'Agents' section of the 'LogPoint Agent Plugin' listing:

"Device Name, Template, Source, Encryption, Last Config Update, Status"
This can be used for different purposes like for example documenting to the the Agents status to the customer.

Regards

Hans

Hi,

since I installed Logpoint 6.12 three weeks ago, "/opt/makalu/storage" grew from 47 % to 89 %.

Does anyone have the same issue?

Best regards,

Hans Vedder

Hi

I have 70+ devices  to add to logpoint for monitoring.     The version of Logpoint is 6.7.4.

I dont want to key them in with the GUI (takes too long, risks of mistakes).   I have the device details in a spreadsheet - extracting to a csv and loading the csv into logpoint with the UI is the best way.

The device uses a proxy

I have followed the documentation  - but perhaps I’ve misread something.

The CSV line below gives the error “Exception, Nonetype object has no attribute split”

device_name,device_ips,device_groups,log_collection_policies, distributed_collector,confidentiality,integrity,availability,timezone,uses_proxy, proxy_ip, hostname, processpolicy
device1,10.0.0.1,linux,,,,,,Europe/London,TRUE,192.168.1.1,10.0.0.1,Linux

I can add devices without issue if I remove the last 4 fields from the csv  (i.e. uses_proxy, proxy_ip, hostname, processpolicy),  but i do want to add the syslog collector details.

Does anyone know if the add devices with a csv actually works when you want to also add the syslog collector ?

Thanks

Patrick Kelly

Note: my question doesnt fit into any of the predefined categories, I have to put it into Operations Monitoring.

When using the LogPoint agent all administration is done in the LPA plugin, which can only be accessed by the LogPoint administrator.

Some customers wants reporting on the operational side of things and part of that is a report displaying:

Device Name ,Template,Source,Encryption,Last Config Update,Status

How can this output be created without supplying the customer with a number of screen shots

Sometimes it is necessary to publish LP widgets on a central screen/monitor without having to authenticate the user. LogPoint has a built-in feature to publish URL’s that are Public - i.e. no authentication is needed.

This is a great feature, but also implies that only one widget can be displayed on the whole browser. To accommodate this and enable multiple widgets on the same browser page, one can use a template HTML page that contains multiple URL’s that are included with the HTML tag <iframe>. Each <iframe> tag can display a widget, and thus we can have multiple public widgets on the same Web page.

Below is an embryo for such a template. In the example below, there are two <iframe> tags that correspond to two different Public URL’s. The nice thing is that the size and placement of each <iframe> can be specified by using <iframe> attributes. The details of the tag attributes are out of scope for this post, but more information about them can be found here:

https://www.w3schools.com/tags/tag_iframe.asp

If you want to add more widgets on the same page, simply copy from ‘<iframe>’ until the next ‘</iframe>’ and adjust the attributes as you need (most likely ‘width=’ and ‘height=’). And you need to specify the correct Public URL in the ‘src=’ attribute.

The ‘<br>’ tag indicate a Break - i.e. a new line will be used for the following ‘<iframe’>.

<html>
<head>
<!-- 
A simple HTML template to insert multiple LogPoint Public Widgets URLs on the same page. Useful for 'Always On Monitors' to display relevant Widgets.
Mike Blomgren, LogPoint, 2021-06-31


To insert additional Widgets, just copy from <iframe ..... until ... </iframe> and modify the URL to point to the Public URL.

Sample:
<iframe src="https://<public URL>" width="600px" height="300px">
</iframe>

Change the Width and Height values to accomodate the desired Widget size in pixels.

The '<br>' tag inserts a new line, to display widgets beneath each other.

Change the refresh "content" value (in seconds) to set the refresh interval (sometimes not needed, though). 


-->

<meta http-equiv="refresh" content="30">
</head>
<body>

<iframe src="https://<public LP Widget URL>" width="600px" height="300px">
</iframe>
<br>
<iframe src="https://<public LP Widget URL>" width="50%" height="400px">
</iframe>


</body>
</html>

“LogPoint Operations Monitoring” is an additional service that LogPoint customers can subscribe to if they have limited resources to maintain the LogPoint system itself. With Operations Monitoring, a dedicated LogPoint team continually checks the overall system health of the LogPoint solution. We monitor the status of your system, including CPU usage, disk storage and I/O operations, to help detect and prevent failures and ensure maximum availability.

If there are any issues, our team will respond fast and with quality to avoid any operational disruptions of your LogPoint solution. Operations Monitoring frees up valuable resources so you can focus on other high-priority tasks.

How can I check that my alert rules are correct and running smoothly ?

In the case of DLP environment with collector and data node, if the connection is lost between two, what is the maximum data size of logs a collector can hold?

Hi Team,

Do we have a checklist I can share with customers about things to prepare before subscribing to Operations Monitoring?

I am looking for more of a technical requirement like firewall rules, support connection, passwords, and so on.