Devices are all the machines from which you can collect logs. To start receiving logs from a device, make sure that you configure it in LogPoint, and then set up collection configurations and repos to it.
Devices¶
Note
You can view the details of each device by clicking the Details icon under the Actions column.
Go to Settings >> Configuration from the navigation bar and click Devices.
Devices¶
Click Add.
Adding a new device¶
Enter the device’s Name.
In Device address(es), enter the IP addresses or hostnames of the device. However, Logpoint currently supports only those hostnames that can be resolved into a single IP address.
Select the Device Groups and Log Collection Policies.
Select a collector/forwarder from the Distributed Collector drop-down. The drop-down lists all the distributed collectors and syslog Forwarders configured in the Distributed LogPoints.
Note
It is optional to select Device Groups, Log Collection Policies, and Distributed Collector.
Select a Time Zone.
Note
The timezone of a device must be the same as it’s log source. Logpoint uses timezone to convert the timestamp in the collected logs to the timezone of the user searching the logs. If the timezones do not match you may not see search results in the expected timeframe.
For example, if you are working in London and want to add two different devices located in Cairo and Brisbane, add the timezones as GMT+2:00 (Cairo) and GMT+10:00 (Brisbane).
Choose the Risk Values for the device. LogPoint uses the values to calculate the risk levels of any alerts generated from the device. For details, see step 19 of Creating an Alert Rule.
Click Submit.
In Available Collectors/Fetchers, select the relevant collectors and fetchers for your Logpoint platform. Then configure their parameters. Choose from the available collectors and fetchers and configure their parameters.
Collectors and Fetchers¶
Click Submit.
Note
Click the ? symbol the top-right corner for context-sensitive help.
To add collectors and fetchers on the existing devices, click the Add Collectors/Fetchers icon under the Actions column for the respective device. Refer to the Built-in Collectors and Built-in Fetchers section to configure the built-in collectors and fetchers.
Go to Settings >> Configuration from the navigation bar and click Devices.
Click Add bulk devices.
Adding Bulk Devices¶
At the bottom of Blocked IPs, click Detect Blocked IPs for a list of the IPs blocked on the ports where there are configured collectors. The list is all the devices sending logs to the LogPoint within the last hour. In the Adding Bulk Devices figure above, the device with the IP address 10.94.2.94 is currently sending logs.
To add the blocked device, double-click the blocked IP. The device’s details are in Property, which you can use to manually enter or edit the device’s properties.
Click Add to add the device in the BULK ADD section.
Click Submit.
Note
You can also add a new device using Property. Enter the device’s details and click Save.
Click the Ignore icon to the right of a blocked IP address to ignore it.
Click the Ignored List button view a list of all the ignored devices.
Ignored Devices¶
To remove the devices from the list, click the Remove icon under the Actions column.
You can also add Devices by importing them via a CSV file. Using a CSV file, you can easily import multiple devices at once.
While importing devices via .csv, you can also configure their Syslog collectors at the same time. This eliminates the need to configure Syslog collectors manually.
To configure a device to use a proxy, you must add the uses_proxy, proxy_ip, hostname, and processpolicy fields in the header row and the value of uses_proxy for the corresponding device must be TRUE.
To configure a device to be used as a proxy, you must add the use_as_proxy, charset, and parser fields in the header row and the value of use_as_proxy for the corresponding device must be TRUE.
Separate multiple hostnames with a semi-colon.
Proxy settings are not available for Classless Inter-Domain Routing.
While importing devices using a CSV file, the system checks only for a valid file extension. It then displays the message Import Successful regardless of the headers used in the CSV file. To check the status of the import process, open the Device Import Jobs panel by clicking Jobs.
For information on the Syslog Collector go to Syslog Collector. To import devices via CSV file:
Go to Settings >> Configuration from the navigation bar and click Devices.
Click Import.
Importing Devices via a CSV File¶
Browse for the CSV file. The first line of the CSV file must be a header row. Header names can be device_name, device_addresses, device_groups, log_collection_policies, distributed_collector, confidentiality, integrity, availability, and timezone. The device_name and device_addresses fields are mandatory.
Note
The values provided for all the non-mandatory fields must already exist in the system.
If a field has multiple values, separate them with a semi-colon.
Logpoint predefines which timezone values you need to use in the CSV file. Use the names exactly as listed in List of Timezones.
Click Submit.
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Name of the required device.
Devices¶
Update the information.
Update the collectors/fetchers for the device.
Click Submit.
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Delete icon under the Actions column of the device.
Devices¶
To delete multiple devices, select the devices. Click More drop-down menu and choose Delete Selected.
Devices¶
To delete all the devices, click More drop-down menu and choose Delete All.
Devices¶
A delete confirmation dialog box appears on the screen. Click Yes to proceed.