Version:

Enrichment Sources

Enrichment Sources maintain the information that you can use to enrich your logs. Logpoint currently supports the following type of enrichment sources:

  1. LDAP: You can use the LDAP (Lightweight Directory Access Protocol) enrichment source to enrich logs with the additional information of users extracted from the LDAP server. Go to LDAPEnrichmentSource Guide for more details.

  2. GeoIP: You can use the GeoIP enrichment source to enrich logs with the geographical information of a public IP address. Go to GEOIP Guide for more details.

  3. CSV: You can use the CSV enrichment source to enrich logs from data present in a Comma Separated Values (CSV) file. Go to CSVEnrichmentSource Guide for more details.

  4. IPtoHost: You can use the IPtoHost enrichment source to enrich logs with a reliable hostname. Go to Adding IPtoHost as an Enrichment Source for more details.

  5. ODBC: You can use the ODBC (Open Database Connectivity) enrichment source to look up the data in a database server and enrich the incoming logs. Logpoint supports the PostgreSQL, MSSQL, and MySQL databases. Go to Adding ODBC as an Enrichment Source for more details.

  6. Threat Intelligence: You can use the Threat Intelligence enrichment source to enrich logs with the information gathered from various threat intelligence sources. Go to Threat Intelligence Guide For Logpoint for more details.

../_images/LP_Config_ES_MainPage.png

Enrichment Sources

Note

  • Depending on the file size, the enrichment sources may still appear in the list after being deleted. In this case, you need to click Refresh to view the updated list.

  • Plugins associated with the enrichment sources must be available before adding an enrichment source. For example, to add an ODBC enrichment source, the ODBC plugin must be present in Logpoint.

  • The total size for the enrichment sources is set to 4 GB.

Adding IPtoHost as an Enrichment Source

You can use the IPtoHost enrichment source to retrieve a hostname from an IP Address present in an incoming log. Whenever Logpoint receives a log containing an IP Address, it requests a DNS Server to resolve the IP into a hostname. If the DNS succeeds in resolving the IP Address, the hostname is shown as an enriched field in the log. If not, the log remains as it is.

To add IPtoHost as an enrichment source:

  1. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.

  2. Click Add.

  3. Select IPtoHost.

    ../_images/LP_Config_ES_Add_IPtoHost.png

    Adding IPtoHost as an Enrichment Source

    Note

    If the Use only the private IPs present in the HOMENET list checkbox is enabled, Logpoint enriches only the logs with the IP field name present in the HOMENET list.

  4. Enter a Name.

  5. In IP Field Name, enter the field name which contains an IP Address.

  6. In Host Field Name, enter the field name where the hostname should be kept.

  7. Click Save.

Adding ODBC as an Enrichment Source

  1. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.

  2. Click Add.

  3. Select ODBC.

  4. Enter a Name.

  5. Select a Charset and a Driver.

    Note

    If you choose the MSSQL driver, a checkbox for Windows Authentication appears. If you select the checkbox, enter the domain of the Windows machine.

  1. Enter Server and Port of the database server.

  2. Enter a Database name.

  3. Enter Username and Password.

  4. Enter the SQL Query to fetch data.

  5. In Enrichment Options, select Age Limit and Update Interval. Age Limit is the validation limit of the source data and Update Interval defines the interval to read the source data.

  6. Select Type.

  7. Select Update to modify the ODBC connection, or Replace to restore the existing connection.

  8. Enter Increment Key, Increment Key Table, and New Line Separator. These values are required only for the Update type.

    ../_images/LP_Config_ES_Add_ODBC_Update.png

    • Increment Key indicates the value of the primary key field to be created automatically each time a new record is inserted. The Increment Key must always be an integer.

    • Increment Key Table indicates the table in which the Increment Key belongs to.

    • New Line Separator indicates the character that separates the values in the database.

  9. SOURCE FIELDS filled once you enter the correct values to all the fields of the CONNECTION PARAMETERS.

  10. Click Save.

Editing an Enrichment Source

  1. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.

  2. Select the required enrichment source and update the information.

../_images/LP_Config_ES_Edit.png

Enrichment Source

  1. Click Save.

Deleting Enrichment Source

  1. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.

  2. Click the Delete icon under Actions.

    ../_images/LP_Config_ES_Delete.png

    Enrichment Sources

    1. To delete multiple enrichment sources, select the sources, click More and choose Delete Selected.

    ../_images/LP_Config_ES_DeleteSelected.png

    Deleting selected Enrichment Source

    1. To delete all the enrichment sources, click More and choose Delete All.

    ../_images/LP_Config_ES_DeleteAll.png

    Deleting all Enrichment Sources

  3. Click Yes to confirm deletion.

Viewing Enrichment Data

  1. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.

  2. Click the Search icon under Actions of the source to view search results.

../_images/LP_Config_ES_Search.png

Enrichment Sources

  1. You can view the total DATA USED by all the enrichment sources near the top-left corner.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support