circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Configure Entities

hashtag
Device Groups

The device groups are the collection of log forwarding devices. You can associate a single device to multiple device groups.

chevron-rightConfigure Device Groupshashtag

  1. Go to Configure >> Entities >> Device Groups.

  2. Select the LogPoint instances where you want to configure the device group.

  3. Click Next

Configuring the Device Groups

  1. Enter a Name and a Description of the device group.

  2. Select the Devices to add to the device group.

    Note

    For multiple LogPoint instances, you can select the devices common to the selected LogPoint instances only.

  3. Click Add to List. You can view the Selected Devices on the right side of the page.

  4. Click Next.

Confirming the Changes

  1. Review your changes. You can go Back to make any changes if necessary.

circle-info

Click Download Report to save the summary of the task in PDF.

  1. Click Finish.

  2. Click OK.

hashtag
Devices

Devices are machines from which you send logs to Logpoint. To start receiving logs from a device, make sure that you configure it in Logpoint, and set up collection configurations and repos to it.

chevron-rightAdd a Devicehashtag

  1. Go to Configure >> Entities >> Devices

Creating a Device
circle-info

Note

Click Download CSV File to download the configuration of all devices in CSV. You can also download the configurations of the devices configured to a Logpoint by selecting the Logpoint from Select Configuration Location and clicking Download CSV File.

  1. Select the Logpoint instances where you want to configure the device.

  2. Click Next

Configuring the Device

  1. Enter a Name.

  2. In Device address(es), enter the IP addresses or hostnames of the device. However, Logpoint currently supports only those hostnames that can be resolved into a single IP address. Press Enter after every addition.

  3. Select the Timezone of the device. The time zone of the device must be the same as that of the log source.

circle-exclamation

Warning

  • Make sure that you enter the correct time zone.

  • If the time zones are different, the extracted log timestamp becomes incorrect, and the logs may not be searchable for the given time-period.

  1. Select the risk values for Integrity, Availability, and Confidentiality.

  2. Select the Device Groups to which you want to add the device and click Add to list.

circle-info

Note

For multiple Logpoint instances, you can select the device groups common to the selected Logpoint instances only.

  1. Select the Log Collection Policies to which you want to add the device and click Add to list.

circle-info

Note

For multiple Logpoint instances, you can select the log collection policies used by the selected Logpoint instances only.

  1. Select the Distributed Collectors to which you want to add the device and click Add to List.

  2. Click Next.

    Confirming the Changes

  3. Review your changes. You can go Back to make any changes if necessary.

    Note

    Click Download Report to save the summary of the task in PDF.

  4. Click Finish.

  5. Click OK.

chevron-rightImport Devices via a CSV Filehashtag

Using Director Console, you can add multiple devices in a Fabric-enabled Logpoint by importing them via a CSV file.

circle-info

Note

You can import devices via a CSV file for Fabric-enabled Logpoint v6.7.2 and later.

  1. Go to Configure >> Entities >> Devices.

    Importing Devices

  2. Click Import.

  3. Upload a CSV file.

    The first line of the CSV file must be a header row. You can use device_name, device_ips, device_groups, log_collection_policies, timezone, confidentiality, integrity, availability, distributed_collector, use_as_proxy, uses_proxy, charset, parser, processpolicy, proxy_ip, hostname, and machine_name as the header rows.

    The device_name, device_ips, and machine_name are mandatory fields. The machine_name is case-sensitive and must exist in Director Console.

    circle-info

    Note

    For more details, go to Importing Devices via a CSV File

    Import Device Page After the CSV file is Imported

    Once the import process is complete, you can see all the devices from the CSV file.

circle-info

Note

  • You can toggle the error symbol to view the rows with errors.

  • You can select the columns you want to view in the UI from the drop-down.

  1. Click Finish.

  2. Click OK.

chevron-rightDownload or Edit a CSV Filehashtag

In Director Console, you can download the CSV file to edit the device information and upload it in Director Console to update the changes. You can download the CSV file from the Create Device page or the Tasks page.

Download and Edit the CSV File from the Create Device Page

  1. Go to Configure >> Devices.

  2. Click Download CSV File to download all the device configuration.

    circle-info

    Note

    Select a Logpoint from the Select Configuration Location if you want to download the CSV file for a specific Logpoint and click Download CSV File.

  3. Open the CSV file in any editor of your choice.

    You can find a new header called id which lists the ids of the created devices.

  4. Make the necessary changes and import the CSV file again.

Download and Edit the CSV File from the Tasks Page

  1. Go to the Tasks page.

  2. Click the Download option from the Actions column of the import device operation to download the CSV file for the entire import device operation.

  3. Click the Expand () symbol and click the Download option from the Actions column of a specific Logpoint to download the CSV file for the device operation carried out in the Logpoint.

  4. Open the CSV file in any editor of your choice.

    You can find two new headers called id for the devices that have been successfully created and message for the devices that could not be created. The id column lists the ids of the successfully created devices via the CSV file and the message column lists the information about why the device could not be created.

  5. Make the necessary changes and import the CSV file again.

chevron-rightDemonstration of Importing Deviceshashtag

Consider a sample CSV file with the following data:

Sample CSV File

In this example, Policy 3 has no collectors or fetchers configured, and Policy 4 and Device_Group_II have not been created.

Importing the Devices

  1. Go to Configure >> Entities >> Devices.

  2. Click Import.

  3. Upload the CSV file

  4. Click Finish.

  5. Click OK.

  6. Go to the Tasks page.

  7. Click the Expand () symbol. You can see the Status of import device operation for each Logpoint

  8. Click Download under ACTIONS of the failed import device task.

  9. Open the CSV file in any editor of your choice.../_images/dc_configure_device_csv_with_message.pngarrow-up-right

  10. Go to the message header row to find out why the operation failed.

  11. Create the log collection policy Policy 4 and configure collectors and fetchers to it.

  12. Create the device group Device_Group_II in Director Console.

  13. Import the CSV file again.

  14. Click Finish.

  15. Click OK.

  16. Go to the Tasks page and check the Status of the import device operation.

hashtag
Enrichment Policies

An enrichment policy is a set of enrichment specifications. Each log from the device or collector/fetcher configured for an enrichment policy goes through each of the specifications. Refer to the Enrichment Policies section in LogPoint to learn more about enrichment policies.

chevron-rightConfigure Enrichment Policieshashtag

  1. Go to Configure >> Entities >> Enrichment Policies.

  2. Select the LogPoint instances where you want to configure the enrichment policy.

  3. Click Next.

  4. Enter a Name and a Description.

  5. Select a Type. An enrichment criteria can be Key Present or Value Matches type.

    • For the Key Present type, enter the Key.

    • For the Value Matches type, enter the Key and the Value associated with the key.

  6. Under Enrichment Rules:

    6.1. Select an Enrichment Source. Other values needed for the Enrichment Rule depend on the selected Enrichment Source.

    6.2. Select a Source.

    6.3. Select an Operation. The default value of Operation is Equals.

    6.4. Select a Category. A category can be Simple or Type Based.

    6.4.1. If you select Simple, enter the Event Key for the source.

    6.4.2. If you select Type Based, select an Event Key Type. For the type based enrichment category, all the fields of the selected type are eligible to be enriched.

    6.5. Select Enable Prefixing to prefix the results with the event key. LogPoint presents the results in the alphabetical order of the event key.

  7. Click Add Specification.

    circle-info

    Note

    • A specification can have multiple enrichment criteria and enrichment rules.

    • To add a new enrichment criteria, enter the required values and click Add Criteria. The new criteria is listed under Enrichment Criteria on the right side of the page.

    • To add a new enrichment rule, enter the required values and click Add Rule. The new rule is listed under Enrichment Rule on the right side of the page.

    • You can delete the added criteria and rules. Click the Delete icon from the Actions column of the criteria or the rule to remove them from the specification.

  8. Click Next.

  9. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  10. Click Finish.

  11. Click OK.

hashtag
Label Packages

Director Console allows you to create label packages in multiple Fabric-enabled LogPoint instances. Label packages are the collection of labeling rules. Labeling rules are search terms that apply specific labels to log messages. Using labels, you can group similar logs. Refer to the Label Packages section in LogPoint for more details.

circle-info

Note

You can configure label packages for Fabric-enabled LogPoint v6.10.0 and later.

chevron-rightAdd a Label Packagehashtag

  1. Go to Configure >> Entities >> Label Packages.

  2. Select the LogPoint instances where you want to configure the label package.

  3. Click Next.

  4. Enter a Name and a Description for the label package.

  5. Enter a Search Query and a List of Labels you want to add to the query in the Label Information section.

  6. Click Add Label.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task as a PDF.

  9. Click Finish.

  10. Click OK.

hashtag
Lists

Using Director Console, you can create static and dynamic lists in Fabric-enabled LogPoint instances. A static list in LogPoint is the collection of pre-defined values and a dynamic list in LogPoint is a list that collects specific values from the events during the runtime and stores them for a limited or an unlimited period. Refer to the Lists section in LogPoint for more details.

circle-info

Note

You can configure lists for Fabric-enabled LogPoint v6.7.2 and later.

chevron-rightAdd a Static Listhashtag

  1. Go to Configure >> Entities >> Lists.

  2. Select the LogPoint instances where you want to configure the static list.

  3. Click Next.

  4. Select Static List.

  5. Enter a Name for the static list.

  6. Enter a List of Values to add in the static list.

  7. Select lists provided by the vendor from the Also Include From Vendor drop-down.

  8. Click Next.

  9. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  10. Click Finish.

  11. Click OK.

chevron-rightAdd a Dynamic Listhashtag

  1. Go to Configure >> Entities >> Lists.

  2. Select the LogPoint instances where you want to configure the dynamic list.

  3. Click Next.

  4. Select Dynamic List.

    circle-info

    Note

    • Refer to the Dynamic Lists section to define the list values of the dynamic list with the process command.

    • You can also define the dynamic list values with the process command for a Fabric-enabled LogPoint from the LogPoint Search Master where it is configured.

  5. Enter a Name for the dynamic list.

  6. Enter the Age Limit in Day, Hour, and Minute. After the Age Limit is over, the dynamic list values are removed.

    circle-info

    Note

    The Age Limit must be at least 30. If you do not want the values to expire, set the Age Limit as 0.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  9. Click Finish.

    circle-info

    Note

    You must refresh lists from the Refresh List APIs section before editing a dynamic list from the Search page.

  10. Click OK.

hashtag
Log Collection Policies

A log collection policy allows you to configure different collectors and fetchers to multiple devices at once.

In Director Console, you can add a collector or a fetcher to a log collection policy from the built-in collectors/fetchers section. Once you add the required collectors and fetchers, you can configure the policy to a device. The device uses the collectors and fetchers from the policy, which helps to speed up the configuration process.

circle-info

Note

  • You can configure log collection policies for Fabric-enabled LogPoint v6.7.2 and later.

  • Refer to the required collector or fetcher section to configure it to a log collection policy.

chevron-rightConfigure Log Collection Policieshashtag

  1. Go to Configure >> Entities >> Log Collection Policies.

  2. Select the LogPoint instances where you want to configure the log collection policy.

  3. Click Next.

  4. Enter a Name for the policy.

  5. Enter its Description.

  6. Click Next.

  7. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  8. Click Finish.

  9. Click OK.

hashtag
Log Sources

Log Sources allow you to configure different servers, applications, network devices, databases, or any other sources to collect or fetch their logs. The collected or fetched log data is then centralized and analyzed within Logpoint in real-time to detect potential security threats. To learn more, go to Log Sources.

You can configure Log Sources using collectors, fetchers or any log source integrations installed on Logpoint.

chevron-rightCreate Log Sourceshashtag

To create a Log Source, you must select the pool and machine on which you want to create one.

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. Click Create Log Source.

  3. Select the source, you want to base log source creation on.

  4. Select Pool and Machine.

  5. Click Next.

You can create a Log Source using any of the following integrations, collectors or fetchers:

chevron-rightEdit Log Sourceshashtag

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. Click the log source and make the necessary changes.

  3. Click Update Log Source.

chevron-rightDelete Log Sourceshashtag

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. Click the () icon of the log source and click Delete Log Source.

  3. Click Delete to confirm.

Alternatively,

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. Click on the Log source.

  3. Click the () icon and click Delete Log Source.

hashtag
Log Source Templates

The Director Console includes pre-configured Vendor Templates derived from connected Logpoints. You can use these templates to create new ones, even after disconnecting your Logpoints. They are not deleted. Only the latest version of a template is saved, replacing older versions. You can create log sources using templates that come with predefined settings and configurations to fetch logs from different sources using Universal REST API Fetcher or Syslog Collector.

chevron-rightUniversal REST API Fetcher-based Templateshashtag

  1. DuoSecurityFetcher

  2. Trellix

  3. Sophos

  4. Okta

  5. CiscoAMP

    Vendor Templates
circle-info

For DuoSecurityFetcherarrow-up-right and Trellixarrow-up-right, go to their guides.

To configure Sophos, Okta, and CiscoAMP:

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar and click Browse Log Source Templates.

  2. Click the log source template. All the fields are pre-configured; change the configuration only if needed.

  3. Click Create Log Source.

chevron-rightSyslog Collector-based Templateshashtag

Go to Syslog Collector-based Templates for the complete list.

For Syslog Collector based templates, enter the device address to create a log source. All other settings are optional. Go to syslog-collector to learn more.

To create:

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar and click Browse Log Source Templates.

  2. Click the log source template for an integration.

  3. Enter the Device Addresses.

  4. Click Create Log Source to save the configuration.

chevron-rightCreate a Templatehashtag

You can create new templates from previously created log sources and later use them to configure the same or different sources.

To create a new template:

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. Click the previously created log source.

  3. Click the more () icon and click Configure Template.

  4. Configure the template using relevant values.

  5. Click Save as Template.

To find the created template, go to CONFIGURE >> LOG SOURCES and click Browse Log Source Templates.

To save and use the created template as a log source, click the template and click Save Changes. The template is now saved as a log source. However, Logpoint must have the normalizers and repos used in the template. If the repos are not there, you must either create repos with the same names or select different ones. For normalizers, you can either install the normalizers or deselect them.

circle-info

If Logpoint does not have the signature-based normalization package used in the imported template, Log source automatically installs it.

chevron-rightUpdating a Templatehashtag

You can modify the configurations of the previously created custom templates as per your need. To update template configuration:

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. Click Browse Log Source Templates.

  3. Click the () icon on the template and click Edit Template.

  4. Select Pool and Machine.

  5. Click Next.

  6. Click the (more) icon and click Configure Template.

  7. Make the necessary changes and click Update Template.

    7.1. To save the changes as a new template, enter a new name for the template and click Clone and Save as New Template.

    7.2. To save the changes in the same template, click Update Template.

The Log Source Template configurations are now updated. You can also update the log sources configurations that are created using this template. Select the log sources to update and click Update Log Sources.

For Universal REST API, only the following entities are updated when you click Update Log Sources:

  • Fetch Interval (min)

  • Request Timeout (secs)

  • Retry After (secs)

  • Charset

  • Custom Headers

  • Enforce HTTPS Certificate Verification

  • Normalizer

  • Logo

  • Description

  • Vendor Name

For Syslog Collector, only the following entities are updated:

  • Parser

  • Confidentiality

  • Integrity

  • Availability

  • Normalizer

  • Logo

  • Description

  • Vendor Name

  • Normalization

You can also update the template later on. Templates ready for update are marked with Update available.

Update Available Information

Open the Log source and click on Update Available.

chevron-rightImport a Templatehashtag

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. click Browse Log Source Templates.

  3. Click Import Templates and then Browse.

  4. Browse for the template. Select it.

  5. Click OK.

Go to CONFIGURE >> LOG SOURCES to find the imported template. If a template with the same name as the imported template exists, you will get an error message. You must rename the .pak file and import it again

chevron-rightDelete a Templatehashtag

  1. Go to CONFIGURE >> LOG SOURCES from the navigation bar.

  2. Click Browse Log Source Templates.

  3. Click the () icon for the Log Source and click Delete Template.

hashtag
Macros

You can create macros to save any search query with an alias and use it to perform a search action based on the saved query in a Fabric-enabled LogPoint. Refer to the Macros section in LogPoint for more details.

circle-info

Note

You can configure macros for Fabric-enabled LogPoint v6.10.0 and later.

chevron-rightConfigure Macros hashtag

  1. Go to Configure >> Entities >> Macros.

  2. Select the LogPoint instances where you want to configure the macro.

  3. Click Next.

  4. Enter a Name for the macro. The field supports alpha-numeric and underscore (_) characters.

  5. Enter a complete and valid query in the Query field.

  6. Click Validate Query.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task as a PDF.

  9. Click Finish.

  10. Click OK.

hashtag
Normalization Packages

Normalization packages are the collections of log signatures. A log signature defines the rules to extract the key-value pairs from a log. A normalization package consists of the log signatures that normalize logs from a particular log source.

chevron-rightAdd a Normalization Packagehashtag

  1. Go to Configure >> Entities >> Normalization Packages.

  2. Select the Logpoint instances where you want to configure the normalization package.

  3. Click Next.

  4. Enter a Name and a Description of the package.

  5. Enter a Pattern and an Example that matches the pattern.

  6. Enter a Key Value to add extra values to a signature.

  7. Enter a Replace Key Value to replace a key-value pair with another one.

    circle-info

    Note

    You can add multiple key values and replace values in a signature.

  8. Click Add Signature. You can add multiple signatures in a normalization package.

    circle-info

    Note

    You can click the Check Pattern () icon of a signature to check if the pattern matches the example.

  9. Click Next.

  10. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  11. Click Finish.

  12. Click OK.

chevron-rightEdit a Normalization Signaturehashtag

  1. Select the signature you want to edit from the signature list.

  2. Update the pattern and its example.

  3. Click Edit Signature.

circle-info

Note

You can reorder the signatures by dragging and dropping them.

hashtag
Normalization Policies

A normalization policy is a combination of one or more normalization packages. You can select different normalization packages and group them under a normalization policy.

chevron-rightConfigure Normalization Policieshashtag

  1. Go to Configure >> Entities >> Normalization Policies.

  2. Select the LogPoint instances where you want to configure the normalization policy.

  3. Click Next.

  4. Enter a Name.

  5. Select the Compiled Normalizers to be applied to the normalization policy.

    The normalization policy first uses the compiled normalizers to normalize the incoming logs. The regex-based normalizers are only used if all the compiled normalizers fail to normalize the logs.

  6. Click Add to List.

  7. Select the Normalization Packages to be applied to the normalization policy.

  8. Click Add to List. The added compiled normalizers and normalization packages are listed on the right side of the page.

    circle-info

    Note

    • To reorder the compiled normalizers and normalization packages, click Move Up and Move Down in the Action column.

    • To delete the compiled normalizers and normalization packages, click Delete from the Action column.

  9. Click Next.

  10. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  11. Click Finish.

  12. Click OK.

hashtag
Parsers

You can use parsers to analyze the incoming data and extract each log message from them.

chevron-rightConfigure Parsershashtag

  1. Go to Configure >> Entities >> Parsers.

  2. Select the LogPoint instances where you want to configure the parser.

  3. Click Next.

  4. Enter a Name.

  5. Enter the regex Pattern.

  6. Enter an Example that matches the pattern.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  9. Click Finish.

  10. Click OK.

hashtag
Processing Policies

A processing policy combines a normalization policy, an enrichment policy, and a routing policy into a single policy. Its primary purpose is to help in the overall process of data normalization and enrichment.

chevron-rightConfigure Processing Policieshashtag

  1. Go to Configure >> Entities >> Processing Policies.

  2. Select the LogPoint instances where you want to configure the processing policy.

  3. Click Next.

  4. Enter a Name.

  5. Select a Routing Policy, an Enrichment Policy, and a Normalization Policy.

  6. Click Next.

  7. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  8. Click Finish.

  9. Click OK.

hashtag
Raw Syslog Forwarders

You can use the Raw Syslog Forwarder (RSF) to collect logs from different sources and forward the raw messages to a remote server in a Fabric-enabled LogPoint.

To use the raw syslog forwarder, you need to follow these steps:

  1. Add Remote Targets

  2. Add devices

circle-info

Note

You can configure raw syslog forwarder in Fabric-enabled LogPoint v7.0.0 and later only.

chevron-rightAdd a Devicehashtag

Fabric-enabled LogPoint collects and forwards the raw syslog messages from the devices.

  1. Go to Configure >> Entities >> Raw Syslog Forwarders.

  2. Select the LogPoint where you want to configure the raw syslog forwarder.

  3. Click Next.

  4. Select Remote Target.

  5. Enter the regex Pattern.

  6. Under Device Configuration, select the device groups and devices from which the raw syslog messages are collected and forwarded.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  9. Click Finish.

  10. Click OK.

hashtag
Remote Targets

Remote targets are the devices where the raw syslog messages are forwarded. You need to create the remote target first to configure Raw Syslog Forwarders.

circle-info

Note

You can configure remote target in Fabric-enabled LogPoint v7.0.0 and later only.

chevron-rightConfigure Remote Targetshashtag

  1. Go to Configure >> Entities >> Remote Targets.

  2. Select the LogPoint instances where you want to configure the remote target.

  3. Click Next.

  4. Enter a Name.

  5. Enter an IP Address.

  6. Enter a Port number for the input port of the target.

  7. Select a Protocol to send the syslog message.

    circle-info

    Note

    Selecting TCP disables IP Spoofing.

  8. Click Next.

  9. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  10. Click Finish.

  11. Click OK.

hashtag
Repos

LogPoint uses the repos (repositories) to collect streaming logs in LogPoint and store them securely.

chevron-rightConfigure Reposhashtag

  1. Go to Configure >> Entities >> Repos.

  2. Select the LogPoint instances where you want to configure the repo.

  3. Click Next.

  4. Enter a Name.

    circle-info

    Note

    The length of the repo name must not exceed 29 characters.

  5. Select a Repo Path.

  6. Enter the Retention (Days) for storing logs in the repo.

    circle-info

    Note

    The number of Retention (Days) must be at least two.

  7. Click Add.

    circle-info

    Note

    • You can click the Move Up and Move Down icons from the Action column of a repo to re-order it.

    • To delete a repo, click Delete in the Action column.

  8. Select a Remote LogPoint and Retention (Days) to configure High Availability. These fields are optional. The remote LogPoint lets you perform search operations even when the repo is not available.

    circle-info

    Note

    For multiple LogPoint instances, you can see the common remote LogPoint instances only in the Remote LogPoint drop-down.

  9. Click Next.

  10. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  11. Click Finish.

  12. Click OK.

hashtag
Routing Policies

A routing policy lets you direct the incoming logs into different repositories in the LogPoint. You can use either Key Present or Value Matches criteria to configure a routing policy.

chevron-rightConfigure Routing Policieshashtag

  1. Go to Configure >> Entities >> Routing Policies.

  2. Select the LogPoint instances where you want to configure the routing policy. You can select multiple LogPoint instances of different pools.

  3. Click Next.

  4. Enter a Name.

  5. Select a Catch All repository. All the logs that do not meet the Routing Criteria are stored in the Catch All repository.

  6. Select a routing criteria Type. The type can be either Key Present or Key Present Value Matches.

    • If you select Key Present, enter a Key. The routing criteria is applied to the log messages containing the provided key.

    • If you select Value Matches, enter a Key and its Value. The routing criteria is applied to the log messages containing the provided key and value.

      circle-info

      Note

      The Key for both Key Present and Key Present Value Matches types must be a normalized field name of the log messages.

  7. Select an Operation:

    • Store raw message stores both the raw message and the normalized data in the target repository.

    • Discard raw message discards the raw message and stores the normalized data only.

    • Discard entire event discards both the raw message and the normalized data.

  8. Select the target Repository for the routing criteria.

  9. Click Add.

    circle-info

    Note

    • You can configure a routing policy without a routing criteria.

    • You can add multiple routing criteria to a routing policy.

    • You can click the Move Up and Move Down icons from the Action column of a criteria to re-order it. LogPoint compares the criteria to the incoming logs to store the data to the target repo based on the order of the criteria.

    • You can click the Delete () icon from the Action column of a criteria to delete it.

  10. Click Next.

  11. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  12. Click Finish.

  13. Click OK.

hashtag
SNMP Policies

An SNMP policy is used by the SNMP fetcher to make an SNMP walk query. Each SNMP policy is a set of Object Identities (OID) and their query time intervals. The OID specifies all the branches of the OID tree for fetching. All variables in the sub-tree below the given OID are queried.

chevron-rightConfigure SNMP Policieshashtag

  1. Go to Configure >> Entities >> SNMP Policies.

  2. Select the LogPoint instances where you want to configure the SNMP policy.

  3. Click Next.

  4. Enter a Name.

  5. Enter the SNMP OID and a Fetch Interval in minutes.

  6. Click Add.

    circle-info

    Note

    • An SNMP policy can have multiple OIDs.

    • You can click the Delete icon from the Action column of an OID to delete it.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  9. Click Finish.

  10. Click OK.

hashtag
File System Collectors

A file system collector reads the contents of files configured in a LogPoint. It is only applied to the localhost device to monitor the log files.

The file system collector collects all the internal logs generated in each LogPoint. It captures all the records from collectors, web servers, mergers, normalizers, and the applications used in LogPoint.

chevron-rightConfigure File System Collectors hashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> File System Collectors.

  2. Select the LogPoint instances where you want to configure the file system collector.

  3. Click Next.

  4. Enter the Excluded Path.

  5. Select a Processing Policy.

  6. Select a Parser.

  7. Select an encoding format from the Charset drop-down.

  8. Enter the file Path.

  9. In the Select Devices section, select localhost.

  10. Click Next.

  11. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  12. Click Finish.

  13. Click OK.

hashtag
FTP Collectors

You can use a FTP collector to collect logs from files uploaded to the LogPoint using FTP clients.

chevron-rightConfigure FTP Collectorshashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> FTP Collectors.

  2. Select the LogPoint instances where you want to configure the FTP collector.

  3. Click Next.

  4. Enter a Username. Clients need the credentials to upload files to the configured FTP server.

  5. Select a Processing Policy and a Parser.

  6. Select an encoding format from the Charset drop-down.

  7. Enter the Source Name, i.e., the name of the file to be uploaded to the collector; it works as the unique identifier for the collector.

  8. Enter the Password of the FTP server.

  9. You can either configure the FTP collector to a device or a log collection policy.

    • If you select Device, select all the devices where you want to configure the collector.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices used by the selected LogPoint instances only.

    • If you select Log Collection Policy, select all the log collection policies where you want to configure the collector.

  10. Click Next.

  11. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  12. Click Finish.

  13. Click OK.

hashtag
FTP Fetchers

You can use an FTP fetcher to set up an FTP client in LogPoint to pull the data available in the remote FTP server.

chevron-rightConfigure FTP Fetchershashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> FTP Fetchers.

  2. Select the LogPoint instances where you want to configure the FTP fetcher.

  3. Click Next.

  4. Enter a Username for the user on the FTP server.

  5. Select a Processing Policy.

  6. Select a Parser.

  7. Select an encoding format from the Charset drop-down.

  8. Enter the Fetch Interval time in minutes.

  9. Enter the Filename Pattern. The pattern applies to the path beyond the base directory.

  10. Under Old Logs, select On to forward the old logs or Off if you do not want to forward the old logs.

  11. Enter a valid Password of the FTP server’s user.

  12. Enter the Port number on which the FTP service is running. The default port for FTP is 21.

  13. Enter the Remote Path.

  14. You can either configure the FTP fetcher to a device or a log collection policy.

    • If you select Device, select all the devices where you want to configure the fetcher.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices used by the selected LogPoint instances only.

    • If you select Log Collection Policy, select all the log collection policies where you want to configure the fetcher.

  15. Click Next.

  16. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  17. Click Finish.

  18. Click OK.

hashtag
SCP Fetchers

An SCP fetcher fetches logs from the log files present in the remote host using an SSH connection.

chevron-rightConfigure SCP Fetchershashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> SCP Fetchers.

  2. Select the LogPoint instances where you want to configure the SCP fetcher.

  3. Click Next. Configuring the SCP Fetcher with Password Authentication:

    Configuring the SCP Fetcher with Certificate Authentication:

  4. Select an Authentication Type:

    • If you select Password, enter a username and a Password for authentication.

    • If you select Certificate, enter a username, you can view the produced SCP certificate key on the right side of the page.

      circle-info

      Note

      • The SCP Certificate is unique for each LogPoint. Thus, for multiple LogPoint instances, the application creates a distinct certificate for each one.

      • Save the password or the SSH certificate key, as it is required later for the user validation.

  5. Enter the Relative File Path. This field denotes the base directory (can also be relative to the user’s home directory). Only the names of the subfolders and files within this location are matched against the Filename Pattern to determine the files whose contents are read by the SCP Fetcher.

  6. Enter the Filename Pattern in regex to fetch the files matching the pattern. The application applies this pattern to the path within the base directory.

  7. Under Forward Old Logs, select On to forward old logs, otherwise, select Off.

  8. Enter the Port Number on which the SCP service listens on the remote server. The default SCP port is 22.

  9. Enter the Fetch Interval time in minutes.

  10. Select a Parser.

  11. Select a Processing Policy.

  12. Select an encoding format from the Charset drop-down.

  13. You can either configure the SCP fetcher to a device or a log collection policy.

    13.1. If you select Device, select all the devices where you want to configure the fetcher.

    circle-info

    Note

    For multiple LogPoint instances, you can select the devices common to the selected LogPoint instances only.

    13.2. If you select Log Collection Policy, select all the log collection policies where you want to configure the fetcher.

  14. Click Next.

  15. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  16. Click Finish.

  17. Click OK.

hashtag
SFlow Collectors

You can collect the flow packets forwarded to LogPoint using an SFlow collector. SFlow is a sampling technology used to monitor networks, wireless, and host devices. The sampled packets are called flow packets.

chevron-rightConfigure SFlow Collectorshashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> SFlow Collectors.

  2. Select the LogPoint instances where you want to configure the SFlow collector.

  3. Click Next.

  4. Select a Processing Policy to apply to the logs.

  5. You can either configure the SFlow collector to a device or a log collection policy.

    • If you select Device, select all the devices where you want to configure the collector.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices used by the selected LogPoint instances only.

    • If you select Log Collection Policy, select all the log collection policies where you want to configure the collector.

  6. Click Next.

  7. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  8. Click Finish.

  9. Click OK.

hashtag
Snare Collectors

You can use a Snare collector to collect and analyze logs from the Windows Snare agent or any other Syslog server forwarding data to the 6161 port.

chevron-rightConfigure Snare Collectorshashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> Snare Collectors.

  2. Select the LogPoint instances where you want to configure the Snare collector.

  3. Click Next.

  4. Select a Processing Policy and a Parser.

  5. Select an encoding format from the Charset drop-down.

  6. You can either configure the snare collector to a device or a log collection policy.

    • If you select Device, select all the devices where you want to configure the collector.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices common to the selected LogPoint instances only.

    • If you select Log Collection Policy, select all the log collection policies where you want to configure the collector.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  9. Click Finish.

  10. Click OK.

hashtag
SNMP Fetchers

An SNMP fetcher allows you to make SNMP queries to network devices to get responses into LogPoint. You need an SNMP policy to make an SNMP walk query. An SNMP policy is a set of OIDs and their query time intervals.

chevron-rightConfigure SNMP Fetchershashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> SNMP Fetchers.

  2. Select the LogPoint instances where you want to configure the SNMP fetcher.

  3. Click Next.

    Configuring the SNMP Fetcher V_3:

    Configuring the SNMP Fetcher V_12:

  4. Select an SNMP Version:

    • If you select V_3:

      1. Enter the Username of the user forwarding the logs to the server.

      2. Enter the Authorization Key and Private Key used for Authentication of SNMP users, Privacy of communication, and Integrity of messages.

      3. Click the View icon to view the authorization key and the private key.

    • If you select V_12:

      1. Enter the Community String authentication of messages.

      2. Click the View icon to view the community string.

  5. Enter the Port number on which the SNMP service is running.

  6. Select a Processing Policy.

  7. Select an SNMP Policy.

    circle-info

    Note

    You need to configure the SNMP policy before adding an SNMP fetcher to any device.

  8. Select an encoding format from the Charset drop-down.

  9. You can either configure the SNMP fetcher to a device or a log collection policy.

    • If you select Device, select all the devices where you want to configure the fetcher.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices common to the selected LogPoint instances only.

    • If you select Log Collection Policy, select all the log collection policies where you want to configure the fetcher.

  10. Click Next.

  11. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  12. Click Finish.

  13. Click OK.

hashtag
SNMP Trap Collectors

An SNMP trap collector collects logs from the SNMP enabled devices. SNMP traps are alert messages sent by the devices to the SNMP manager with information about the occurrence of any significant event.

chevron-rightConfigure SNMP Trap Collectorshashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> SNMP Trap Collectors.

  2. Select the LogPoint instances where you want to configure the SNMP trap collector.

  3. Click Next.

    Configuring the SNMP Trap Collector V_3:

    Configuring the SNMP Trap Collector V_12:

  4. Select an SNMP Version:

    • If you select V_3:

      1. Select a Processing Policy.

      2. Enter the Username of the user forwarding the logs to the server.

      3. Enter the Authorization Key and Private Key used for Authentication of SNMP users, Privacy of communication, and Integrity of messages.

        circle-info

        Note

        Click the View () icon to view the authorization key and the private key.

      4. Enter the Security Engine ID.

    • If you select V_12:

      1. Select a Processing Policy.

      2. Enter the Community String authentication of messages.

        circle-info

        Note

        Click the View () icon to view the community string.

    circle-info

    Note

    The Authorization Key must contain at least eight characters.

  5. You can either configure the SNMP trap collector to a device or a log collection policy.

    • If you select Device, select all the devices where you want to configure the collector.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices common to the selected LogPoint instances only.

    • If you select Log Collection Policy, select all the log collection policies where you want to configure the collector.

  6. Click Next.

  7. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  8. Click Finish.

  9. Click OK.

hashtag
Syslog Collectors

You can use a syslog collector to collect data from sources that follow the syslog protocol. Once you add a device, you can use it either as a proxy, or as a device depending on its mode of configuration.

chevron-rightConfigure Syslog Collectorshashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> Syslog Collectors.

  2. Select the LogPoint instances where you want to configure the syslog collector.

  3. Click Next.

  4. Select a Proxy Condition:

    1. If you select None, select a Processing Policy, a Parser, and a Charset. The device works as a syslog collector.

    2. If you select Use as Proxy, select a Parser, and a Charset. The device itself is used as a proxy.

    3. If you select Uses Proxy, select a Processing Policy, enter a ProxyIP which is the IP address of the device used as its proxy, and enter the Proxy Server Hostnames (case-sensitive). The device uses a proxy device to collect logs.

  5. You can either configure the syslog collector to a device or a log collection policy.

    1. If you select Device, select all the devices where you want to configure the collector.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices common to the selected LogPoints only.

    2. If you select Log Collection Policy, select all the log collection policies where you want to configure the collector.

      circle-info

      Note

      You can only select a log collection policy if you used None as the proxy condition.

  6. Click Add to List.

  7. Click Next.

  8. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  9. Click Finish.

  10. Click OK.

hashtag
Tables

Tables store the data that you can use to enrich the logs. A dynamic table is a table where you can specify the fields and obtain the values for the specified fields during runtime for a limited or an unlimited period.

You can configure dynamic tables via Director Console and update the values for the table via runtime using a search query through a Fabric-enabled Logpoint or a Logpoint Search Master. Go to Tables for more details.

circle-info

Note

You can configure tables for Fabric-enabled Logpoint v7.2.0 and later.

chevron-rightAdd a Tablehashtag

  1. Go to Configure >> Entities >> Tables.

  2. Select the Logpoint instances where you want to add and configure the table.

  3. Click Next.

  4. Enter a Name for the table.

  5. Enter the values for Day, Hour and Minute to set the Age Limit of the table.

  6. Click Next.

  7. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to get an overview as a PDF.

  8. Click Finish.

  9. Click OK.

hashtag
WMI Fetchers

You can use a WMI Fetcher to collect information from Windows devices using the WMI service.

chevron-rightConfigure VMI Fetchershashtag

  1. Go to Configure >> Built-in Collectors/Fetchers >> WMI Fetchers.

  2. Select the LogPoint instances where you want to configure the WMI Fetcher.

  3. Click Next.

  4. Enter the Username and Password of the Windows devices configured for the WMI service.

    circle-exclamation

    Warning

    If the Windows user is in a domain, make sure that the username you provide is in the format domain/username. domain@usernameenvelope is invalid.

  5. Select the Fetch Interval in minutes. Each log fetched by the WMI Fetcher is parsed for further implementation. WmiParser is applied to the logs by default.

  6. Select a Facility and a Severity.

  7. Select a Processing Policy.

  8. Select an encoding format from the Charset drop-down.

  9. You can either configure the WMI fetcher to a device or a log collection policy.

    • If you select Device, select all the devices where you want to configure the fetcher.

      circle-info

      Note

      For multiple LogPoint instances, you can select the devices common to the selected LogPoint instances only.

    • If you select Log Collection Policy, select all the log collection policies where you want to configure the fetcher.

  10. Click Next.

  11. Review your changes. You can go Back to make any changes if necessary.

    circle-info

    Note

    Click Download Report to save the summary of the task in PDF.

  12. Click Finish.

  13. Click OK.

Last updated

Was this helpful?