Using Configuration APIs, you can configure and manage following entities in a Fabric-enabled LogPoint:
Devices
Device groups
Distributed Collectors
Normalization policies
Repos
Distributed LogPoints
Parsers
Enrichment sources
Enrichment policies
Routing policies
Processing policies
SNMP policies
LogCollection policies
RawSyslog forwarder
UEBA Settings
Devices are the machines from which LogPoint collects logs.
Endpoint |
Description |
|---|---|
AddIgnoredIps |
Adds a device to the ignored IP list. |
Attach |
Attaches devices on behalf of the collector LogPoint from the main LogPoint in a Distributed LogPoint setup. |
Create |
Creates a new device. |
Detach |
Detaches devices on behalf of the collector LogPoint from the main LogPoint in a Distributed LogPoint setup. |
Edit |
Edits the device configurations with the given ID. |
Get |
Fetches the device configurations with the given ID. |
GetPlugins |
Fetches the plugins with the given ID. |
Install |
Installs the given CSV file with device configurations. |
List |
Lists the devices. |
ListBlockedIps |
Lists the IPs of all the devices in the blocked IP list. |
ListIgnoredIps |
Lists the IPs of all the devices in the ignored IP list. |
ListPrivateUploads |
Lists the files from the private storage of the API. |
ListPublicUploads |
Lists the files from the public storage of the API. |
RefreshBlockedIps |
Updates the blocked IP list. |
Trash |
Deletes the device with the given ID. |
TrashIgnoredIps |
Removes the device IP of the given ID from the ignored IP list. |
TrashPrivateUploads |
Deletes the file with the given name from the private storage of the API. |
TrashPublicUploads |
Deletes the file with the given name from the public storage of the API. |
Upload |
Uploads the given file in the private storage of the API. |
UploadPublic |
Uploads the given file in the public storage of the API. |
Note
The following endpoints can be accessed using Fabric-enabled LogPoint v6.7.2 and later:
Devices - Install
Devices - ListPrivateUploads
Devices - ListPublicUploads
Devices - TrashPrivateUploads
Devices - TrashPublicUploads
Devices - Upload
Devices - UploadPublic
Device Groups are a cluster of log collecting devices. One device can be associated with more than one device group.
Endpoint |
Description |
|---|---|
Create |
Creates a new device group. |
Edit |
Edits the settings of the device group with the given ID. |
Get |
Fetches the device group with the given ID. |
List |
Lists the device groups. |
Trash |
Deletes the device group with the given ID. |
The DistributedCollectors API allows you to activate, deactivate, and delete LogPoint Collectors of a Fabric-enabled LogPoint.
A LogPoint Collector collects logs from different sources, normalizes them against the signatures applied, and forwards them.
Endpoint |
Description |
|---|---|
Activate |
Activates the distributed collector with the given ID. |
Deactivate |
Deactivates the distributed collector with the given ID. |
Get |
Fetches the distributed collector with the given ID. |
List |
Lists the distributed collectors. |
RefreshList |
Updates the distributed collectors data list. |
Trash |
Deletes the distributed collector with the given ID. |
Normalization policies determine the process through which data in the incoming logs are grouped into key-value pairs. Each normalization policy is a combination of one or more normalization packages.
Endpoint |
Description |
|---|---|
Create |
Creates a new normalization policy. |
Edit |
Edits the settings of the normalization policy with the given ID. |
Get |
Fetches the normalization policy with the given ID. |
List |
Lists the normalization policies. |
Trash |
Deletes the normalization policy with the given ID. |
Repos (repositories) in a LogPoint collect streaming logs and store them securely. A single repo consists of one or more repo paths with their respective retention policies. The retainment of the logs in the repos depends on the retention policy.
Endpoint |
Description |
|---|---|
Create |
Creates a new repo. |
Edit |
Updates the configuration settings of a repo with the given ID. |
FetchRemoteRepos |
Fetches the local and remote repos. |
Get |
Fetches the repo with the given ID. |
List |
Lists the repos. |
ListRepoPaths |
Lists the allowed repo paths created from LogPoint by the li-admin user. |
RefreshRepoPaths |
Syncs the repo path with LogPoint repo path. |
Trash |
Deletes the repo with the given ID. |
Using this API, you can connect multiple Fabric-enabled LogPoint instances and store their logs. You can monitor, configure, and analyze the logs on the connected machines.
Endpoint |
Description |
|---|---|
Create |
Adds a distributed LogPoint. |
Edit |
Edits the distributed LogPoint settings with the given ID. |
Get |
Fetches the distributed LogPoint with the given ID. |
List |
Lists the distributed LogPoints. |
RefreshList |
Syncs the distributed LogPoint’s data. |
Trash |
Deletes the distributed LogPoint with the given ID. |
Parsers analyze the incoming log data and extract individual logs from them. These logs are then broken into smaller elements so that further processing can be done on each log separately.
Endpoint |
Description |
|---|---|
Check |
Checks the regex pattern. |
Create |
Creates a new parser. |
Edit |
Edits the parser with the given ID. |
Get |
Fetches the parser with the given ID. |
List |
Lists the parsers. |
Trash |
Deletes the parser with the given ID. |
An enrichment source maintains the data that a Fabric-enabled LogPoint can use to enrich its logs.
Endpoint |
Description |
|---|---|
Get |
Fetches an enrichment source with the given ID. |
List |
Lists the enrichment sources. |
RefreshList |
Syncs the enrichment sources. |
An enrichment policy is a set of enrichment specifications which consist of enrichment criteria and enrichment rules. The enrichment criteria are the conditions that must match the key-value pairs of the normalized event logs. Once the criteria are matched, the Fabric-enabled LogPoint uses the enrichment rules to enrich the logs.
Endpoint |
Description |
|---|---|
Create |
Creates a new enrichment policy. |
Edit |
Edits the enrichment policy with the given ID. |
Get |
Fetches the enrichment policy with the given ID. |
List |
Lists the enrichment policies. |
Trash |
Deletes the enrichment policy with the given ID. |
Routing policies allow you to selectively direct the incoming logs into different repos. You can perform routing by key-value match or key-present criteria.
Endpoint |
Description |
|---|---|
Create |
Creates a new routing policy. |
Edit |
Edits the routing policy with the given ID. |
Get |
Fetches the routing policy with the given ID. |
List |
Lists the routing policies. |
Trash |
Deletes the routing policy with the given ID. |
A processing policy integrates a normalization policy, an enrichment policy, and a routing policy into a single policy. This method eliminates the need to add a normalization policy, an enrichment policy, and a routing policy every time you configure a collector or a fetcher.
Endpoint |
Description |
|---|---|
Create |
Creates a new processing policy. |
Edit |
Edits the processing policy with the given ID. |
Get |
Fetches the processing policy with the given ID. |
List |
Lists the processing policies. |
Trash |
Deletes the processing policy with the given ID. |
Endpoint |
Description |
|---|---|
Create |
Creates a new SNMP policy. |
Edit |
Edits the SNMP policy with the given ID. |
Get |
Fetches the SNMP policy with the given ID. |
List |
Lists the SNMP policies. |
Trash |
Deletes the SNMP policy with the given ID. |
Log Collection Policies are the rules that Fabric-enabled LogPoint uses to collect logs.
Endpoint |
Description |
|---|---|
Create |
Creates a new log collection policy. |
Edit |
Edits the log collection policy with the given ID. |
Get |
Fetches the log collection policy with the given ID. |
GetPlugins |
Fetches the plugins that use the log collection policy with the given ID. |
List |
Lists the log collection policies. |
Trash |
Deletes the log collection policy with the given ID. |
Note
You can configure log collection policies for Fabric-enabled LogPoint v6.7.2 and later.
LogPoint collects and forwards the raw syslog messages from the devices to the targets. Raw Syslog Forwarder (RSF) collects logs from different sources and forwards the raw messages to a remote server. Refer to the Raw Syslog Forwarder section for more details.
Endpoint |
Description |
|---|---|
Create |
Creates a new raw syslog forwarder device. |
CreateTarget |
Creates a new target. |
Edit |
Updates the existing configuration of the raw syslog forwarder with the given ID. |
EditTarget |
Edits the target settings with the given ID. |
Get |
Fetches the raw syslog forwarder with the given ID. |
GetTarget |
Fetches the target with the given ID. |
List |
Lists all raw syslog forwarders. |
ListTarget |
Lists all targets in the Fabric-enabled Logpoint. |
Trash |
Deletes the raw syslog fowarder with the given ID. |
TrashTarget |
Deletes the target with the given id. |
Note
You can configure and manage raw syslog forwarders and target devices for Fabric-enabled LogPoint v7.0.0 and later.
Using the UEBA endpoints, you can:
Enable and disable UEBA,
Add UEBA license,
Select repos, alert logs, and entities for UEBA analysis, and
Monitor the health status and validation logs of the UEBA system.
User and Entity Behavior Analytics (UEBA) enables LogPoint to detect abnormal and risky behaviors by evaluating activities that differ from the previously set baselines. To learn more, see the UEBA guide.
Endpoint |
Description |
|---|---|
ConfigureAlertLogs |
Configures risk score for UEBA alerts. LogPoint uses the risk score to categorize the UEBA anomalies based on their risk level. |
ConfigureRepo |
Adds the given repositories for UEBA analysis. |
EnableUEBAMode |
Enables or disables the UEBA configurations in the given LogPoint. |
CreateEntity |
Adds new entities for UEBA analysis. |
EditEntity |
Updates the UEBA entity with the given ID. |
FetchHealthStatus |
Returns UEBA’s health status and validation information summary. |
FetchUEBALicenseState |
Returns the current status of the UEBA license in the given LogPoint. |
FetchValidationReport |
Returns the details of the violated logs for all data sources in the given LogPoint. |
GetEntity |
Fetches the details of the UEBA entity with the given ID. |
InstallUEBALicense |
Installs the UEBA license in the given LogPoint. |
ListEntities |
Returns an array of the UEBA entities’ information. |
ListPrivateUploads |
Returns the list of the UEBA license package files available in the API server’s private storage. |
ListPublicUploads |
Returns the list of the UEBA license package files available in the API server’s public storage. |
ListUEBAConfiguration |
Returns the details of UEBA License consumption in the given LogPoint. |
ListUEBALicenseInfo |
Lists the details of the UEBA license currently used in the given LogPoint. |
RefreshConfigurationLists |
Syncs the UEBA configuration list in the API server with LogPoint’s configuration list. |
RefreshEntityLists |
Syncs UEBA entity list in the API server with LogPoint’s entity list. |
TrashEntity |
Deletes the UEBA entity with the given ID. |
TrashPrivateUploads |
Deletes the UEBA license with the given name from the API server’s private storage. |
TrashPublicUploads |
Deletes the UEBA license with the given name from the API server’s public storage. |
UpdateEntityPriorities |
Updates the UEBA entities’ priorities. |
Upload |
Uploads the given UEBA license package file to the API server’s private storage. |
UploadPublic |
Uploads the given UEBA license package file to the API server’s public storage. |
Note
You can configure and manage the UEBA settings for Fabric-enabled LogPoint v7.1.0 and later.