Log Sources are templates for integrations that allow you to configure various servers, applications, network devices, databases, or any other sources to collect or fetch their logs. The collected or fetched log data is then centralized and analyzed within Logpoint in real-time to detect potential security threats. Cloud sources can have multiple endpoints, and each configured source consumes one device license.
You can add hostnames or IP addresses for the Log Sources. Hostnames must follow the RFC format. You can add a hostname that resolves to multiple IP addresses. One hostname is counted as one node.
After you configure a Log Source and save it, it can be used as a template. These templates can be saved and later used to configure the same or different sources. Templates simplify the process of configuring log sources by providing pre-defined settings, reducing the need for manual configuration and minimizing the risk of configuration errors. They also ensure consistency in collecting, processing, and analyzing log data, critical for accurate security event analysis and reporting.
You must have Read, Create and Delete permissions of Devices, DeviceGroups, Log Collection Policy and Parsers to configure Log Source.
If a log source’s IP address is changed or removed, users will not have access to its logs unless they have full object permissions. If the log source name is not changed and they have full permission for the log source, they can access the logs. Conversely, if only the log source name is changed but the IP address remains the same, users can access it as long as they have full permissions.
Only users with full object permission can view the logs after this log source is deleted.
You can access Log Sources from Settings >> Log Sources in the navigation bar or directly from QUICK START in All Dashboards.
Log Sources in Quick Start¶
The Log Sources page displays an overview of each log source including its Name, Template used, Node Type, if it is Collector/Fetcher, the Repo where the logs are stored, and the timestamp of the last log received. If a log is received within the set threshold time, its Last Log Received timestamp appears in green. If no log is received within that period, the log source is considered inactive and the timestamp is shown in yellow. The default inactivity threshold is 60 minutes, but this can be edited when creating a log source.
You can also create a query with “status”=”inactive” “message”=”Inactive Logsource monitoring” to generate alerts, visualize data in dashboards, create reports, and perform searches for inactive log sources.
Important
The Last Log Received field may appear with a delay of up to 5 minutes. This behavior is intentional to maintain efficiency and ensure stability.
Log Sources Page¶