Certain devices send logs to dedicated ports. Collectors listen to dedicated ports and collect logs. These logs are then processed and transferred to a Logpoint for storage. For devices that can not send logs, you can use Built-in Fetchers to retrieve logs from them.
Logpoint has the following collectors:
Go to Integrations for more details on additional collectors and fetchers supported by Logpoint.
Note
The File System Collector is applied only to the localhost device to monitor the log files.
Syslog Collector collects data from the sources following the Syslog protocol. Once you add a device, the Syslog Collector can be used either as a proxy or as a device.
When the Syslog Collector is configured to operate as a proxy, the Syslog Collector receives syslog messages from the source devices and forwards them to Logpoint. The proxy mode can be useful in scenarios where direct communication between source devices and Logpoint is not possible, such as when there are network restrictions, location restrictions, or security policies in place.
When the Syslog Collector is configured to operate as a device, the Syslog Collector collects syslog messages from the source devices, processes the logs, and forwards them to Logpoint. Syslog Collector as a device is for environments where direct communication between source devices and Logpoint is allowed and preferred.
Configuring Syslog Collector in Logpoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under Actions.
Click Syslog Collector.
Syslog Collector¶
Select a Parser, a Processing Policy, and a Charset.
4.1. The ProofPointEmailProtectionLogParser joins the logs having fields with the same session_ids.
4.2. The EmailParser joins the logs having the same queue_id or message_id.
A system configured with these parsers display the search results of the collected logs within a time range of 10 seconds.
In Proxy Server, select
None, for the device to work as a Syslog Collector.
Use as Proxy, to use the device as a proxy. You won’t see Processing Policy because the logs coming from a proxy device do not need to be normalized and stored.
Syslog Collector (Use as Proxy)¶
Uses Proxy, for the device to use a proxy device to collect the logs. Use the dropdown to select a Proxy IP address of a proxy device and enter the device’s HostName. The hostname of a proxy device is case-sensitive. Parser and Charset disappear after you select Uses Proxy. This is because the parser and charset values added for the proxy device are used for all devices using that proxy.
Syslog Collector (Uses Proxy)¶
For each proxy, a device can have multiple hostnames. The hostnames for all the devices using the same syslog proxy must also be unique. Logpoint takes the first word after the log timestamp as HostName. Hence, the syslog proxy sending the logs in the following formats is supported:
Standard RFC 3164, with format:
<PRI> MTH DD HH:MM:SS Hostname LogContent
For example:
<12> Aug 12 13:14:59 HostName1 This is test1
Slightly modified syslog format with year mentioned:
<PRI> YYYY MTH DD HH:MM:SS Hostname LogContent
For example:
<13> 2015 Apr 8 05:28:13 HostNameA [warning] 1: #1192 Invalid IP resolution
2015 Apr 8 05:28:13 HostNameA [warning] 1: #1192 Invalid IP resolution
If a device, not configured as proxy, sends logs via a configured syslog proxy device, it is considered malicious and its events are rejected.
Click Submit.
Note
Logpoint also supports the following RFC5424 log format:
Standard RFC5424 format:
<PRI> [PRIVAL] [FULL-DATE]T[FULL-TIME] Log Content
- Here,
FULL-DATE = DATE-FULLYEAR “-” DATE-MONTH “-” DATE-MDAY
FULL-TIME = PARTIAL-TIME TIME-OFFSET
PARTIAL-TIME = TIME-HOUR “:” TIME-MINUTE “:” TIME-SECOND [TIME-SECFRAC]
TIME-SECFRAC = “.” 1*6DIGIT
IME-OFFSET = Z / (“+” / “-“) TIME-HOUR “:” TIME-MINUTE
For example: <165>1 2018-09-14T09:15:15.000003-07:00 Off set value -7 <165>1 2018-09-14T09:15:15.000003-11:00 Off set value -11
Additionally, the assignment mechanism of log_ts in the syslog parser also supports the format. The offset value of timezone is prioritized over the device timezone while assigning a value to the log_ts. This means that, if a log contains an offset timezone value and also has a device timezone, the log_ts is equal to the offset timezone.
Before you start receiving logs, you need to configure the settings on the log source. To configure your Linux or Windows machines to forward logs to Logpoint:
Configuration for Linux devices
Open the syslog configuration.
/etc/syslog.conf
Add your remote server in this format.
*.* @logserv.example.com:port
Example:-
*.* @192.168.2.205:514
Restart Syslog.
Configuring Linux devices for forwarding SSL encrypted log message
Install stunnel, and type the following command in the terminal.
sudo apt-get install stunnel
Copy /usr/share/doc/stunnel4/examples/stunnel.conf-sample to /etc/stunnel/stunnel.conf.
Go to /etc/stunnel/stunnel.conf and modify as follows (create it if doesn’t exist).
client=yes
Now, on the same config file add:
[sslsyslog]
accept = 127.0.0.1:60515
connect = 192.168.2.200:515
Restart the config file with:
stunnel4/etc/stunnel/stunnel.conf
Open /etc/syslog.conf with the administrative privilege.
Forward the logs to Logpoint server.
*.* @@127.0.0.1:60515
Restart syslogd with:
service rsyslog restart
Go to Logpoint server.
Select the Linux Device from Settings >> Configuration >> Devices and click Add Collectors/Fetchers.
Configuration for Windows devices
You can forward syslog format logs from Windows devices to Logpoint using third-party agents. We recommended InterSect alliance’s Snare for Windows.
Note
The following procedure only applies to Snare for Windows.
Go to Network Configuration in Snare.
Enter the IP address of your Logpoint in Destination Snare Server Address.
Enter port number 514 in the Destination Port.
Click Change Configuration.
Go to Apply the Latest Audit Configuration and click Reload Settings.
Sequence Numbering in logs collected from Syslog Collector
A sequence number is assigned per device per protocol to each log collected from the Syslog Collector. This helps you identify the order of the logs received from a particular device.
The log collected from a device with the device IP 192.168.0.135 and communicating via the TCP protocol is:
Sequence Number for TCP Log¶
The sequence number for the above log is 41, which is shown as the field value for seq_num_tcp. It means that this log is the 41st TCP log message received from the device with the device ip 192.168.0.135.
Similarly, the log collected from a device with the device ip 192.168.0.135 and communicating via the UDP protocol is as follows:
Sequence Number for UDP Log¶
The sequence number for the above log is 83, which is shown as the field value for seq_num_udp. It means that this log is the 83rd UDP log message received from the device with the device ip 192.168.0.135.
And, the log collected from a device with the device ip 192.168.0.135 and communicating via the SSL protocol is as follows:
Sequence Number for SSL Log¶
The sequence number for the above log is 68, which is shown as the field value for seq_num_ssl. It means that this log is the 68th SSL log message received from the device with the device ip 192.168.0.135.
Configuring Sequence Numbering
When you configure or add sequence numbers to logs, each log is assigned an incremental number starting from 1. Sequence numbering resets when you restart Syslog and when the number of logs reaches 1,000,000,000,000.
Go to Settings >> System Settings from the navigation bar and click System Settings.
Go to General tab, scroll until you find Sequence Numbering.
Select Add sequence numbers on log received from syslog collector.
Configuring Sequence Numbering for logs collected from Syslog Collector¶
Click Save.
Snare Collector collects and analyzes logs from the Windows Snare agent.
Configuring Snare Collector in Logpoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under Actions.
Click Snare Collector.
Configuring Snare Collector¶
Select a Parser, a Processing Policy, and a Charset from the dropdowns.
Click Submit.
Configuration for Windows devices
You can forward syslog format logs from Windows devices to Logpoint using third-party agents. We recommend InterSect Alliance’s Snare for Windows.
To configure Snare for Windows:
Go to the Network Configuration tab in the Snare.
Enter the IP address of your Logpoint in Destination Snare Server Address.
Enter port number 6161 in the Destination Port.
Click Change Configuration.
Go to Apply the Latest Audit Configuration and click Reload Settings.
FTP Collector collects logs from the files uploaded by users using FTP clients. You can add multiple FTP collectors for a single device. You can use any FTP client to forward logs to the FTP collector. We recommend FTP Rush or Filezilla.
Configuring FTP Collector in Logpoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click Add collectors/fetchers icon under Actions.
Click FTP Collector to see a list of all the FTP Collectors configured for the device.
FTP Collectors¶
Click Add.
Configuring FTP Collector in Logpoint¶
Enter a Username and a Password. These credentials are needed to configure settings on the client’s side.
Enter a Source Name. This is the unique identifier for the collector.
Select a Parser, a Processing Policy, and a Charset to apply over the logs.
Click Submit.
Configuring FTP Collector in FTP Clients
To configure FTP Rush or Filezilla:
Enter the address of Logpoint in Host.
Enter the Username and the Password of the FTP Collector.
Use Port 21.
Click Enter or Quick Connect to connect to the Logpoint.
Drag the log files from the Local site and drop it in the Remote site. The files are now transferred to Logpoint.
SNMP Trap Collector collects logs from SNMP enabled devices. SNMP traps are alert messages that devices use to notify the SNMP managerthat there are significant events.
Configuring SNMP Trap Collector in Logpoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under Actions.
Click SNMP Trap Collector.
Configuring SNMP Trap Collector in Logpoint¶
Choose an SNMP Version.
For v_12, enter the Community String.
For v_3, enter a Username, Authorization Key, Security Engine ID, and Private Key. The Authorization Key must contain at least 8 characters.
Select a Processing Policy to apply over the logs.
Click Submit.
Configuring SNMP for Windows
Install Simple Network Management Protocol (SNMP) from Turn Windows feature on or off in the Control Panel.
Run services.msc command.
Search for the SNMP Service. Right click on it and select Properties.
Select TRAPS tab.
Add Community name and Trap destinations.
Click OK.
To manually forward different SNMP traps:
7.1. Run evntwin command and select custom.
7.2. Click Edit and add the event sources.
7.3. Click OK.
sFlow monitors networks, wireless and host devices. Logpoint sFlow Collector forwards counter samples and flow samples using UDP or ARP protocol to Logpoint. Make sure sFlow Package is already installed. The default port number for sFlow protocol is 6343.
Configuring sFlow Collector in Logpoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under Actions.
Click sFlow Collector.
Configuring sFlow Collector in Logpoint¶
Select a Processing Policy to apply over the logs.
Click Submit.
Starting from Logpoint v6.12.0, the following fields have been renamed according to the Logpoint taxonomy for the sFlow Collector:
Previously Used Field Name |
New Field Name |
|---|---|
agent_ip_address |
host_address |
cs_ethernet_dot3_stats_AlignmentErrors |
alignment_error |
cs_ethernet_dot3_stats_CarrierSenseErrors |
carrier_sense_error |
cs_ethernet_dot3_stats_DeferredTransmissions |
deferred_transmission |
cs_ethernet_dot3_stats_ExcessiveCollisions |
excessive_collision |
cs_ethernet_dot3_stats_FCSErrors |
fcs_error |
cs_ethernet_dot3_stats_FrameTooLongs |
frame_too_long |
cs_ethernet_dot3_stats_InternalMacReceiveErrors |
mac_receive_error |
cs_ethernet_dot3_stats_InternalMacTransmitErrors |
mac_transmit_error |
cs_ethernet_dot3_stats_LateCollisions |
late_collision |
cs_ethernet_dot3_stats_MultipleCollisionFrames |
multiple_collision_frame |
cs_ethernet_dot3_stats_SingleCollisionFrames |
single_collision_frame |
cs_ethernet_dot3_stats_SQETestErrors |
sqe_test_error |
cs_ethernet_dot3_stats_SymbolErrors |
symbol_error |
cs_generic_if_direction |
direction |
cs_generic_if_if_status |
status_code |
cs_generic_if_in_bcast_pkts |
in_broadcast_packet |
cs_generic_if_in_discards |
in_discard |
cs_generic_if_in_errors |
in_error |
cs_generic_if_in_mcast_pkts |
in_multicast_packet |
cs_generic_if_in_octets |
in_octet |
cs_generic_if_in_ucast_pkts |
in_unicast_packet |
cs_generic_if_in_unknown_proto |
in_unknown_protocol |
cs_generic_if_index |
if_index |
cs_generic_if_out_bcast_pkts |
out_broadcast_packet |
cs_generic_if_out_discards |
out_discard |
cs_generic_if_out_errors |
out_error |
cs_generic_if_out_mcast_pkts |
out_multicast_packet |
cs_generic_if_out_octets |
out_octet |
cs_generic_if_out_ucast_pkts |
out_unicast_packet |
cs_generic_if_promisc |
if_promiscuous |
cs_generic_if_speed |
if_speed |
cs_generic_if_type |
if_type |
fs_input_if_format |
input_if_format |
fs_input_if_value |
input_if_value |
fs_output_if_format |
output_if_format |
fs_output_if_value |
output_if_value |
fs_rph_frame_length |
frame_length |
fs_rph_header_protocol |
header_protocol |
fs_rph_header_size |
header_size |
fs_rph_sample_dst_ip |
destination_address |
fs_rph_sample_dst_mac |
destination_hardware_address |
fs_rph_sample_dst_port |
destination_port |
fs_rph_sample_eth_type |
ethernet_type |
fs_rph_sample_ip4_flags |
ip4_flag |
fs_rph_sample_ip_version |
ip_version |
fs_rph_sample_protocol |
protocol |
fs_rph_sample_sender_ip_address |
source_address |
fs_rph_sample_sender_mac_address |
sender_hardware_address |
fs_rph_sample_src_ip |
source_address |
fs_rph_sample_src_mac |
source_hardware_address |
fs_rph_sample_src_port |
source_port |
fs_rph_sample_target_ip_address |
destination_address |
fs_rph_sample_target_mac_address |
target_hardware_address |
fs_rph_sample_tcp_flags |
tcp_flag |
fs_rph_sample_vlan_id |
network_id |
fs_rph_stripped |
rph_stripped |
fs_sample_pool |
sample_pool |
fs_sampling_rate |
sampling_rate |
fs_sequence_number |
sequence_number |
fs_source_id_index |
source_id_index |
fs_source_id_type |
source_id_type |
switch_uptime |
duration |
File System Collector collects logs from Logpoint file systems, allowing you to monitor file access, changes, and other activities. It is only applied to the localhost device. The File System collector processes all the internal logs generated in Logpoint. It captures all the logs from collectors, web servers, mergers, normalizers, services and integrations in Logpoint.
File System Collector can only access logs for files present in /var/log/ and /opt/immune/var/log. If you need to add any file path outside these two locations, contact support.
Configuring File System Collector in Logpoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under Actions.
Click File System Collector.
File System Collectors¶
Click ADD.
Configuring File System Collector in Logpoint¶
Enter File Path and Exclude Paths.
Select a Parser, a Processing Policy, and a Charset.
Click Submit.