Version:

Log Source Templates

You can create log sources using a list of templates that comes with predefined settings and configurations to fetch logs from different sources.

Universal REST API Fetcher-based Templates

  • DuoSecurityFetcher

  • Trellix

  • Sophos

  • Okta

  • CiscoAMP

  • MailinBlack

  • Microsoft Defender ATP

For DuoSecurityFetcher and Trellix, go to their guides.

To configure Sophos, Okta, and CiscoAMP:

  1. Go to Settings >> Log Sources from the navigation bar and click Add Log Source.

  2. Click the log source template. All the fields are pre-configured; change the configuration only if needed.

  3. Click Create Log Source.

Syslog Collector-based Templates

  • A10 Networks

  • ActivTrak

  • Apache

  • Aruba

  • Barracuda

  • BitDefender

  • BlueCoat

  • Broadcom CA

  • CarbonBlack

  • CAS Server

  • Centrify

  • Check Point

  • Cisco

  • CiscoEmail

  • CrowdStrike

  • CyberArk

  • Cyberlytic

  • Cylance

  • Darktrace

  • Dell

  • DenyAll

  • ESET

  • Exim

  • EximEmail

  • F5

  • Forcepoint

  • Forescout

  • Fortigate

  • FSecure

  • IBM AIX

  • IIS

  • InfoBlox

  • Juniper

  • Kaspersky

  • Linux

  • Microsoft Exchange Server

  • Microsoft SQL Server

  • Mod Security

  • Netscaler

  • Nginx

  • Oracle

  • PaloAlto

  • PfSense Firewall

  • Proofpoint

  • Samba

  • Sophos General

  • StoneSoft

  • StormShield

  • Suricata

  • Trellix McAfee

  • Trend Micro

  • TrustWave

  • Varonis

  • Vectra

  • Veritas

  • VMWare

  • Wallix

  • WatchGuard

  • Web Analytics

  • Windows

  • Zeek

  • Zscaler

Microsoft365 Fetcher-based Templates

  • Microsoft365

Azure Log Analytics Fetcher-based Template

  • AzureLogAnalytics

Cloud Watch Fetcher-based Template

  • CloudWatch

S3 Fetcher-based Templates

  • S3

  • VPCFlowLog

  • CloudTrail

  • MysqlRDS

Event Hubs Collector-based Template

  • EventHubs

Cisco Umbrella Fetcher-based Template

  • CiscoUmbrella

GCP Collector-based Template

  • GoogleCloudPlatform

Gsuite Fetcher-based Template

  • GoogleWorkspace

Salesforce Fetcher-based Template

  • Salesforce

Creating Log Source via a Template

For Syslog Collector based templates, you can create a log source by entering device addresses and adding a repo, while other information is optional to add. If you want to configure additional information, go to Syslog Collector.

To create:

  1. Go to Settings >> Log Sources from the navigation bar and click Add Log Source.

  2. Click the log source template for an integration.

  3. Enter the Device Addresses.

_images/source_device_add.png

Entering Device Addresses

  1. Click Routing.

  2. Select Repo from drop-down or create a repo.

  3. Click Create Log Source to save the configuration.

Creating a Template

You can create new templates from previously created log sources and export them. These templates can later be imported into Log Source and used to configure the same or different source.

To create a new template:

  1. Go to Settings >> Log Sources from the navigation bar.

  2. Click the more (more) icon for the log source.

  3. Select Edit Log Source.

  1. Click the more (Ellipsis) icon and click Configure Template.

  2. Configure the template and click Save as Template.

To find the created template, go to Settings >> Log Sources and click Add Log Source.

To use the created template as a log source, click the template and click Save Configuration. The template is now saved as a log source. However, Logpoint must have the normalizers and repos used in the template. If the repos are not there, you must either create repos with the same names or select different ones. For normalizers, you can either install the normalizer or deselect them. If Logpoint does not have the signature-based normalization package used in the imported template, Log source automatically installs it.

Updating Template Configuration

To update Log Source template configuration:

  1. Go to Settings >> Log Sources from the navigation bar.

  2. Click Add Log Source.

  3. Click the (more) icon for the Log Source Template

  4. Click Edit Template.

  5. Make the necessary changes and click Save Template.

    5.1. To save the changes in a new template, enter a new name for the template and click Clone and Save as New Template.

    _images/templateedit34.png

    Cloning Templates

    5.2. To save the changes in the same template, click Update Template.

    You can also update the log sources configurations that are created using this template. Select the log sources to update and click Update Log Sources.

    For Universal REST API, the following entities are updated:

    • Fetch Interval (min)

    • Request Timeout (secs)

    • Retry After (secs)

    • Charset

    • Custom Headers

    • Enforce HTTPS Certificate Verification

    • Normalizer

    • Logo

    • Description

    • Vendor Name

    For Syslog Collector, the following entities are updated:

    • Parser

    • Confidentiality

    • Integrity

    • Availability

    • Normalizer

    • Logo

    • Description

    • Vendor Name

    • Normalization

      _images/templatesource.png

      Updating Log Sources

Outdated Normalizers

If a normalizer is outdated, it is dimmed in the list. You need to download the latest version.

_images/LP_Normalization_Outdated.png

Outdated Normalizers

To download the latest version:

  1. Go to the Service Desk. Search for the normalizer name and download it.

  2. Go to Settings >> System Settings from the navigation bar and click Applications.

  3. Click Import.

  4. Browse to the downloaded .pak file and click Upload.

Updating Template

To update Log Source template:

  1. Go to the Log source and click Update Available. It is displayed only if the template from which the log source was created has been updated.

    _images/LP_Update.png

    Update Available

  2. Select the Log Source and click Update Log Sources.

    _images/templatesource.png

    Updating Log Sources

Exporting Template

During export, all custom normalization packages in the template are exported. For vendor normalization packages, only their metadata (name, version and vid) is exported.

You must first configure Log Source and save it as a template to export it.

To export a Log Source template:

  1. Go to Settings >> Log Sources from the navigation bar and click Add Log Source.

  2. Click the more (more) icon and click Edit Template.

  3. Click the more (Ellipsis) icon and click Configure Template.

  4. Click Export Template.

_images/templateedit.png

Exporting Templates

Importing Template

To import a Log Source template:

  1. Go to Settings >> Log Sources from the navigation bar and click Add Log Source.

  2. Click Import Templates.

  3. Browse to the exported .pak file.

_images/importing_template.png

Importing a template.

  1. Click OK.

Go to Settings >> Log Sources to find the imported template. If a template with the same name as the imported template exists, you must change it. In Choose new names, enter a new name for the template and click OK.

_images/invalidimports.png

Invalid Imports

If you create a Log Source with an imported template consisting of a custom normalization package, the package is automatically created in your Logpoint. In the case of name conflict, the suffix “_1” is added to the custom package.

In the case of vendor normalization packages, if your Logpoint has the same or a newer version of the vendor normalization package, the new version is automatically selected. If your Logpoint has the older version or does not have the required package, you must download and install the latest package from the Service Desk.

Deleting Template

To delete Log Source template:

  1. Go to Settings >> Log Sources from the navigation bar and click Add Log Sources.

  2. Click the more (more) icon for the Log Source and click Delete Template.

_images/deleting_template.png

Deleting Template

  1. Click Delete.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support