Fetchers fetch logs from a remote location. You need to provide relevant parameters to configure the fetchers. Once you provide the credentials, use Test to check whether the fetcher is working correctly.
You can find the following built-in fetchers in LogPoint.
Windows Management Instrumentation (WMI) is a platform developed by Microsoft for sharing information and notifications. WMI defines a proprietary set of environment-independent specifications. The specifications allow you to share information between management applications.
LogPoint provides WMI Fetcher to collect the information from the Windows devices using the WMI service.
Configuring WMI Fetcher in LogPoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under the Actions column of the device.
Click WMI Fetcher.
Configuring WMI Fetcher in LogPoint¶
Provide the Username and Password of Windows configured for the WMI service.
Warning
If the Windows user is in a domain, make sure that the username you provide is in the format domain/username (domain@username is invalid).
Provide the Fetch Interval in minutes.
Choose a Parser, a Facility, and a Severity.
Select a Processing Policy to apply over the logs.
Choose an encoding format from the Charset drop-down menu.
Click Submit.
Note
Provide the password for the user of Windows service using WMI.
Configuration of Windows system for WMI
Before using WMI service, you need to configure settings for the Windows device as well. Follow these steps to complete the configuration process.
Go to Control Panel >> Administrative Tools >> Components Services.
On the Left panel of Components Services window, expand Component Services >> Computers.
Right-click My Computer and choose Properties.
Select COM Security tab.
Click Edit Limits in Launch and Activation Permissions.
Click Add.
Click Advanced.
Click Find Now.
Choose a user and click OK.
Now, the user’s name is displayed in the name field in the Select Users or Groups window.
Click OK.
Under the Launch Permission Windows, check the Remote Launch and Remote Activation options.
Click OK.
Configuration of Windows system for WMI with non admin rights
Follow the steps below to configure a user with non-admin rights to forward windows logs into LogPoint using WMI service.
Create a new user from Administrative Tools >> Active Directory Users and Computers.
Add users to the following groups.
Distributed COM users
Performance monitor users
Event log readers
Open WMI Control console.
3.1. Click Start.
3.2. Click Run.
3.3. Type wmimgmt.msc.
3.4. Click OK.
In the console tree, right-click WMI control and click Properties.
Again, click Security.
In the Security dialog box, click Add.
In Select Users, Computers, or Groups dialog box, enter the name of the object Performance monitor users. Use Advanced to query for objects.
In the Security dialog box, under Permissions, select permissions. Add the following:
Remote Enable
Read Security
Assign the user to use Component Services.
Go to Component Services under Administrative Tools.
On the left panel of Components Services window, expand Component Services/Computers.
Right-click My Computer and choose Properties.
Select COM Security tab.
Provide both Access Permissions (Remote Access) and Launch and Activation Permissions (Remote Launch and Remote Activation) to the newly created user.
Note
Configure WMIFetcher in the LogPoint and remember to provide username and password of Windows account while configuring WMIFetcher in LogPoint.
Remember to uncheck use simple file sharing (Recommended) under Folder option\view while configuring WMI for Windows XP.
Event log readers group required to read the Windows events with non-admin rights is not available for Windows Server 2003.
The FTP Fetcher sets up an FTP client in the LogPoint. Once the FTP client is configured, you can pull the log files hosted on remote FTP servers.
Configuring FTP Fetcher in LogPoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under the Actions column of the related device.
Click FTP Fetcher.
Click Add.
Configuring FTP Fetcher in LogPoint¶
Provide Username and Password to the FTP server.
Provide Port on which the FTP service is running. The default port is 21.
Provide the Relative FilePath and the Filename Pattern (in python regex). The pattern is matched against all the files beyond the provided file path. It determines the files from which the logs are to be fetched.
Select the Forward Old Logs checkbox to forward the old logs.
Enter the Fetch Interval in minutes.
Select a Parser, a Processing Policy, and a Charset from the drop-down menus.
Click Submit.
Note
For plain text files whose content is appended continuously, the contents are fetched only from the latest append. However, for compressed files, logs are fetched from the very beginning.
Configuring Filezilla server for FTP Fetcher
Go to Edit >> User.
Click Add.
Create a password-protected account.
Click Shared folders on the left.
Click Add to supplement the directory of the log files. Once you configure the root path, you can give the relative path to the root folder. Remember to give the Relative Path in the LogPoint as \home\user\log_file.log
Click OK.
Note
Make sure you configure the correct timeout setting from the Edit >> Settings menu.
You need to make the connection of the Filezilla server through the Firewall of your system.
The SCP Fetcher fetches logs from the log files present in a remote host using the SSH connection.
Configuring SCP Fetcher in LogPoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under the Actions column of the related device.
Click SCP Fetcher.
Click Add.
Configuring SCP Fetcher in LogPoint¶
Provide a Username for the fetcher.
Provide the Relative FilePath and the Filename Pattern (in python regex). The pattern is matched against all the files beyond the provided filepath. It determines the files from which the logs are to be fetched.
Select the Forward Old Logs checkbox to forward old logs.
Provide the Port number used by the SCP service to listen to the remote server. The default SCP port is 22.
Enter the Fetch Interval in minutes.
Select a mode of Authentication: Password or SSH Certificate.
If you choose Password, you need to provide a passkey in the Password tab.
If you choose SSH Certificate, LogPoint automatically generates a certificate key for you.
Copy the password or the SSH certificate key, as it is required later for the user validation.
Choose a Parser, a Processing Policy, and a Charset.
Click Submit.
Note
You must enable SFTP (SSH File Transfer Protocol) in the remote server to fetch logs using the SCP Fetcher.
SNMP Fetcher allows you to make SNMP queries to network devices to get the responses into the LogPoint. You can then use these responses as event logs for further analysis.
An SNMP Fetcher needs an SNMP Policy to make the SNMP Walk query. SNMP Policy is a set of OIDs and their query time intervals.
SNMP Fetcher makes an SNMPWALK query. The query uses SNMP GETNEXT requests to get the logs from a network entity. An object identifier (OID) is used while making this query. The OID specifies all the branches of OID tree for fetching. All variables in the sub-tree below the given OID are queried, and its values are presented to the user.
Before configuring an SNMP Fetcher, you need to create an SNMP Policy.
Creating an SNMP Policy
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under the Actions column of the related device.
Click SNMP Fetcher.
Click the Policy button at the bottom of the panel.
SNMP Policy List¶
Click Add.
Addition of an SNMP Policy¶
Provide the Name of the policy.
Provide a list of OIDs and their respective Fetch times (in minutes).
Click Submit.
Configuring SNMP Fetcher in LogPoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under the Actions column of the related device.
Click SNMP Fetcher.
Configuring SNMP Fetcher in LogPoint¶
Choose an SNMP Version.
For Version1/Version2 (v_12) provide Community String.
For Version3 (v_3) provide Username, Authorization Key, and Private Key.
Specify the Port number.
Choose an SNMP Policy.
Note
You can also apply a policy from plugins.
Select a Processing Policy to apply over the logs.
Choose an encoding format from the Charset drop-down menu.
Click Submit.
Security Device Event Exchange (SDEE) is a network protocol used by security devices to communicate. You can forward network statistics from the SDEE devices into the LogPoint via the SDEE Fetcher.
Configuring SDEE Fetcher in LogPoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under the Actions column of the related device.
Now, click SDEE Fetcher and configure its essential parameters.
Configuring SDEE Fetcher in LogPoint¶
Provide Username and Password.
Select a Parser, a Processing Policy, and a Charset from the drop-down menus.
Click Submit.