Label Packages are the collection of labelling rules. Labels are tags applied to each log message, used to characterize logs and group similar logs. For example, you can label all the login failed logs as failed. Using the label failed, you can group all the logs where the user failed to log in successfully. Labels can also be used to identify logs related to a specific threat technique or potential security attack.
Labels¶
In Logpoint, there are two types of Label Packages.
Vendor Packages: The label packages bundled with the Logpoint installation.
My Packages: The label packages that you add.
You can switch between My Packages and Vendor Packages by clicking the drop-down menu at the top-left corner.
Go to Settings >> Knowledge Base and click Label Packages.
Click Add.
Label Packages¶
Enter Name and Description in Package Information.
Adding a Label Package¶
Click Submit. Search Labels opens, containing all the existing search labels.
Click Add to add a new label.
Search Labels Panel¶
In Label Information, enter Search Query, select Package and enter List of Labels. Labels can contain only alphanumeric characters.
Adding Search Label Information¶
Click Submit.
In this example, all the log messages satisfying the search query device_ip = 127.0.0.1 are labeled with ip and device_ip.
Go to Settings >> Knowledge Base and click Label Packages.
Click Manage Labels icon in Actions for the respective label.
Click Add to open Search Label.
Enter Search Query, Package, and List of Labels.
Click Submit.
In this example, all the log messages satisfying the search query device_name = localhost are labeled with Localhost and 127.0.0.1.
Go to Search.
Enter the query to which you want to add the labels.
Click Search.
Click Add Search To.
Select Labelling Rule to open Search Label.
Select a Package, and enter a List of Labels.
Click Submit.
You may need to add a label to particular types of logs or the logs collected by a specific device. For example, to add a label printer to all the logs collected from the printer, you can add a label to the signature of the normalization package that is used to normalize printer logs. This will add the label to all the logs processed by that normalization package.
Go to Settings >> Knowledge Base and click Normalization Packages.
Click Signatures in Actions.
Click Edit Signature icon in Actions.
Type label in the first textbox for Key Values.
Enter a list of labels in the second textbox.
Click Submit.
In this example, all the logs normalized by normalization_package_1 are labeled with Benchmarker and LI_Logs.
Go to Settings >> Knowledge Base from the navigation bar and click Label Packages.
Label Packages¶
Select the label packages you want to export.
Click Export.
The selected label package will be downloaded.
Go to Settings >> Knowledge Base from the navigation bar and click Label Packages.
Label Packages¶
Click Import.
Browse to the label package.
Click Submit.
Go to Settings >> Knowledge Base from the navigation bar and click Label Packages.
Click the Name of the to edit.
Label Packages¶
Update the information.
Click Submit.
Go to Settings >> Knowledge Base and click Label Packages.
Click Activate label package icon under Actions.
Label Packages¶
To activate multiple Label Packages, select all the packages you want to activate. Click More and choose Activate Selected Packages.
Label Packages¶
To activate all the Label Packages, click More and choose Activate All Packages.
Label Packages¶
Go to Settings >> Knowledge Base and click Label Packages.
Click De-activate label package icon under Actions.
Label Packages¶
To deactivate multiple label packages, select all the packages you want to deactivate. Click More and choose Deactivate Selected Packages.
Label Packages¶
To deactivate all the label packages, click More and choose Deactivate All Packages.
Label Packages¶
Go to Settings >> Knowledge Base and click Label Packages.
Click the Clone icon under Actions.
Label Packages¶
To clone multiple label packages, select all the packages you want to clone. Click More and select Clone Selected Packages.
Label Packages¶
To clone all label packages, click More and select Clone All Packages.
Label Packages¶
Enter new names for the cloned packages.
Select Replace Existing? to replace an existing package with the same name.
Clone Label Package Panel¶
Click Clone.
Go to Settings >> Knowledge Base and click Label Packages.
Click Delete icon under Actions.
Deleting a Label Package¶
To delete multiple Label Packages, select all the packages you want to delete. Click More and choose Delete Selected Packages.
Label Packages¶
To delete all the Label Packages, click More and choose Delete All Packages.
Label Packages¶
Select Yes to delete.