circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Director Overview

Logpoint Director allows MSSPs (Managed Security Service Providers) and large organizations to manage the configuration and search-related functionalities of all their connected Logpoints from a central location.

Data segregation is a major concern in large organizations and MSSPs because of their multiple organizational units and extensive management needs. You can use Logpoint Director to partition your Logpoint instances into clusters or what we term pools. These pools are physically isolated and can be accessed and managed from a central location.

Logpoint Director setup is an interconnected network of an API Server (Director Console API and Director Console UI), a Fabric Server, a Logpoint Search Master (LPSM), Logpoint Search Head, and Distributed Logpoints. The components together allow a Director user to:

  • Configure Fabric-enabled Logpoints

  • Create Dashboards, Reports and Alerts

  • Perform search queries on all interconnected Logpoints

  • Monitor system and memory status

  • Centrally manage licenses and generate license reports

Director Environment

hashtag
Why Logpoint Director?

  • Threat Intelligence Sharing: Threat identified in one pool is shared with the Logpoints of other pools, enhancing their collective ability to detect, prevent, and respond to cyber threats.

  • Central Management: Director Console allows centralized configuration management of Logpoint pools, while Logpoint Search Master (LPSM) enables search operations across these pools.

  • Secure Communication: The Logpoint UI and each Fabric-enabled Logpoint communicate through a separate, private VPN tunnel dedicated to each pool, ensuring security of your pools and connected Logpoints.

  • Reliability & Fault Tolerance: Data from connected Logpoints in the Fabric server is regularly updated and replicated, ensuring logs remain available when needed, reducing network load, and preserving data integrity during failures.

  • Data Privacy: Physical isolation of pools ensures that logs from one pool are not accessible to others. All changes are made centrally and replicated across connected Logpoints, without compromising data privacy.

  • Cost Efficiency: Director deployment can easily scale as the number of Logpoint pools increase. You can add Logpoint instances to your existing Director setup without having to apply major architectural changes.

hashtag
Components of Logpoint Director

hashtag
Director Console

The Director Console lets you create and manage the configuration settings of the Fabric-enabled Logpoints divided into different pools. It allows you to search and configure entities including log sources, devices, policies, repos, and so on. You can also monitor entities using dashboards, SNMP, director components, and so on. It also lets you install plugins and patches and manage licenses on behalf of Fabric-enabled Logpoints.

Director Console UI

Allows users to install, configure, and upgrade Logpoint instances from a user interface.

Director Console API

Allows users to perform CRUD operations (Create, Read, Update, Delete) using Rest APIs.

circle-info

In Co-Managed Mode, the Logpoint UI functionalities are enabled for the Logpoint user; and the Director Console API and Director Console UI are restricted.

hashtag
Logpoint Search Master (LPSM)

Logpoint Search Master (LPSM) is the primary interface for SIEM work in the Director setup. LPSM allows users to monitor Fabric-enabled Logpoints and impersonate changes made in Dashboard, Report, and Incident. Impersonation allows an LPSM user to make changes on Fabric-enabled Logpoints on behalf of local users, provided appropriate permissions.

You can perform tasks on connected Fabric-enabled Logpoints using LPSM such as:

  • Setting Alerts

  • Managing Incidents

  • Viewing Dashboards

  • Accessing different Logpoint pools

  • Using Search Queries

hashtag
Director Fabric

Director Fabric ties together the Director Console and LPSM with Logpoint servers. It consists of one or more Fabric Servers and an API Server.

Fabric Server

Fabric Server acts as a communication bridge between the API Server, LPSM, and Logpoints. The server synchronizes and updates local data of connected Logpoints to maintain a copy and allow Director components to access data when required.

Fabric Server Applications:

  • Fabric Proxy: coordinated service for data and configuration management.

  • Fabric Storage: stores applications, patches, and CSV files.

  • Fabric Authenticator: network authentication protocol used to gain access to Fabric Storage.

API Server

API Server is a configuration management platform that exposes APIs to manage configuration settings on behalf of Fabric-enabled Logpoints.

To learn more about the APIs exposed by Director, refer to:

API Exposed Applications API Documentation

hashtag
Fabric-enabled Logpoint

A Fabric-enabled Logpoint is a Logpoint managed by the Logpoint Director setup. A fully configured Logpoint can become Fabric-enabled after Fabric Connect is enabled. After enabling Fabric Connect, some UI features are disabled on the Logpoint (those functionalities remain available via the Director Console API).

Logpoint Pool A Logpoint Pool is a group of Fabric-enabled Logpoints. Physical separation of pools ensures logs from one pool are not accessible via another.

Logpoint Search Head Search Head is used to perform search queries across different Fabric-enabled Logpoints. LPSM can search only one Logpoint at a time; to search multiple nodes inside a Logpoint Pool, the Search Head must be connected to the Fabric Network. For more details, see: Search Head in the Director Setup

Director Components

hashtag
Modes of Operation

When a regular Logpoint becomes Fabric-enabled, there are two modes of operation to choose from. The Mode of Operation field allows you to choose between Normal mode and Co-Managed mode.

hashtag
Normal mode

A Fabric-enabled Logpoint works in the normal mode when Co-Managed mode is not enabled. In the normal mode, certain features and functionalities of Logpoint are disabled. The Director Console API exposes the APIs of those functionalities to allow you to manage the configuration settings on behalf of the Fabric-enabled Logpoint. The configuration settings can also be carried out via the Director Console UI.

For example, when Logpoint becomes Fabric-enabled in normal mode, the create, edit and delete operations are hidden from the user interface, and a Logpoint user can only view the available device groups. These operations can only be caried out by a Director user via the exposed APIs or the Director Console UI.

Device Groups on a Fabric-enabled Logpoint in normal mode

hashtag
Co-Managed Mode

The Co-Managed Mode allows Logpoint users to have complete control over their system despite being connected to the Director setup. This means when the Fabric-enabled Logpoint is in Co-Managed Mode:

  • The functionalities of its user interface are not restricted.

  • The functionality of LPSM remains unchanged.

  • The functionality of the Director Console APIs and the Director Console UI is restricted.

For example, the Settings >> Configuration >> Device Groups section, allows you to add new device groups, read the available device groups, update device groups, and delete device groups, on a regular Logpoint.

In Co-managed mode, these functionalities can be performed through the Fabric-enabled Logpoint UI. The APIs and the Director Console UI is restricted from the Director setup in this case.

Device Groups on Fabric-enabled Logpoint with Co-Managed Mode

hashtag
Incoherent Logpoint Versions

Before Director Console API v1.3.0, Director Console UI v1.5.0, and Logpoint Search Master (LPSM) v1.3.0,

  • The Director setup did not support multiple versions of the Fabric-enabled Logpoint instances. If you upgraded the Logpoint, you also had to upgrade the Director setup to a compatible version. The upgraded Director setup then did not support the previous Logpoint version.

Starting from Director Console API v1.3.0, Director Console UI v1.5.0, Logpoint Search Master (LPSM) v1.3.0, and Logpoint v6.6.0,

  • The Director setup supports different Logpoint versions. If you upgrade the Director setup, upgrading the Logpoint is optional. The upgraded Director setup supports the existing Logpoint version and the upgraded Logpoint version if both versions are compatible. This feature makes the Director setup backward compatible.

Incoherent Logpoint Versions in the Director Setup

hashtag
Incoherency in Director Console APIs

Starting from Director Fabric v1.3.0 and Logpoint v6.6.0,

  • The Director Console APIs support multiple versions of Fabric-enabled Logpoint instances.

  • You can configure the entities in multiple versions of Fabric-enabled Logpoint instances using the Director Console APIs if the configuration parameters of the entities are compatible with each other.

However, you cannot configure the entities of a Fabric-enabled Logpoint that lead to a breaking change for an API. To configure those entities, you must upgrade the Director Fabric to the version with the fixes for the breaking changes. Refer to the API Documentation for details on breaking change.

circle-info

  • If any entity in a Fabric-enabled Logpoint leads to a breaking change for an API, the POST, PUT, and DELETE requests cannot be accessed via the API server. However, the GET request can be accessed in all instances except when there is a change in the data type of a response parameter.

  • From now on, you can use one of the following formats for the root URL while making an API request:

    • https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/ (Recommended)

    • https://api-server-host-name/configapi/v1/{pool_UUID}/{logpoint_identifier}/

    • https://api-server-host-name/configapi/v1.3.0/{pool_UUID}/{logpoint_identifier}/

hashtag
Incoherency in Director Console UI

Starting from Director Console v1.5.0 and LogPoint v6.6.0,

  • Director Console supports multiple versions of Fabric-enabled Logpoint instances. You can configure bulk actions in different Logpoint versions if their configuration parameters are the same.

Incoherency in the Director Console

In the figure above, each device is configured to a different Logpoint version. However, the configuration of selected LogPoint1 Device-1 is compatible with the configuration of LogPoint4 Device-4 and LogPoint5 Device-5 only. You can perform bulk action at once in these devices. However, the Director Console disables the devices that are not compatible with the selected device's Logpoint version.

hashtag
Incoherency in LPSM

Starting from LPSM v1.3.0 and LogPoint v6.6.0,

  • LPSM supports multiple versions of Fabric-enabled Logpoint instances. You can manage and perform bulk actions in different Logpoint versions if their configuration parameters are the same.

Incoherency in LPSM

In the figure above, each alert rule is configured to a different Logpoint version. However, the selected LogPoint1: AlertRule 1 is compatible with the LogPoint4: AlertRule-4 and LogPoint5: AlertRule-5 only. You can perform bulk action at once for these alert rules. However, LPSM disables the alert rules that are not compatible with the selected alert rule's LogPoint version.

circle-info

  • When using the Director setup with incoherent Logpoint versions, connecting a new Fabric-enabled Logpoint might in some cases fail to update the LPSM with the latest configuration.

You can use the update-incoherent-config command exposed to the li-admin user to update the LPSM with the latest configuration of the newly added Fabric-enabled Logpoint. Refer to the update-incoherent-config section for details.

Last updated

Was this helpful?