circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

UnixLogs

You can get the following product’s logs into Logpoint:

  • Unix Syscall

  • Unix Ftpd

  • Unix Zookeeper

  • Unix Vasd

  • Unix Iptables

  • Unix Logger

  • Unix Ftp

  • Unix Xntpd

  • Unix Redis Server

  • Unix Chkpwd

  • Unix IPsec

  • Unix Kubelet

  • Unix Generic

  • Unix adcli

  • Unix Dockerd

  • Unix Chef Client

  • Unix Simple Network Management Protocol (SNMP) Traps

  • Unix Auditd

  • Unix Crond

  • Unix Pure Ftpd

  • Unix Inetd

  • Unix SNMP

  • Unix Dhclient

  • Unix Cron

  • Unix Infinity

  • Unix Vparmodify

  • Unix VS Ftpd

  • Unix Rsandbox

  • Unix Runuser

  • Unix Devd

  • Unix Proftpd

  • Solaris OS

  • Unix SSL Proxy

  • Unix SCC

  • Unix Audispd

  • UNIX Network File System (NFS)

  • Unix nslcd

  • Unix Httpd

  • Unix Mountd

  • Unix dnsmasq

  • Unix Run-parts

  • Unix Kafka

  • Unix Ipmserver

  • Unix check nrpe

  • Unix Anacron

  • Unix php

  • Unix Xpand

  • Unix Routed

  • Unix Bash

  • UNIX Nscd

  • Unix Lvm

  • Unix Pengine

  • Unix Stonith NG

  • Unix Goferd

  • Unix Nagios

  • Unix IPMIEVD

  • Unix SAP

  • Unix Vmunix

  • Unix Savd

  • Unix Winbindd

  • Unix Syslog NG

  • Unix Switch User or Substitute User (SU)

  • Unix l4d

  • Unix Rsyslogd

  • Unix Rhnsd

  • Unix puppet-agent

  • Unix Suhosin

  • Unix Sudo

  • Unix ptymonitor

  • Unix Sfd

  • Unix Smbd

  • Unix passwd

  • Unix sssd

  • Unix Lrmd

  • Unix InotifyWait

  • Unix Userlevel Common Address Redundancy Protocol (UCARP)

  • Red Hat Linux

  • Unix rear

  • Unix Network Time Protocol daemon (NTPD)

  • Unix RpcMountd

  • Unix Lighttpd

  • Unix Cimserver

  • Unix Cmclconfd

  • Unix Lvmpud

  • Unix NS

  • Unix ndo2db

  • Kernel

  • Unix Agetty

  • Unix Sudoscriptd

  • Docker

  • Unix Rshd

  • Unix xinetd

  • Unix SSHD

  • Unix Cifs Upcall

  • Unix Auditlog

  • Unix Sftp Server

  • Unix rgmanager

  • Unix Pluggable Authentication Modules (PAM) Tally

  • Unix subscription-manager

  • Unix Syslogd

  • Common Unix System

  • Unix Systemd

  • Unix Yum

  • Unix Snmpd

  • Unix Named

  • Unix Newrelic Infra

  • Unix Crmd

hashtag
Log Ingestion

1

hashtag
Download and install integration

  1. Download the integration .pak file, or make sure it is installed.

  2. Download the .pak file from the Service Desk.arrow-up-right

To install:

  • Go to Settings >> System Settings from the navigation bar and click Applications.

  • Click Import.

  • Browse to the downloaded .pak file and click Upload.

  • After installing it, you can find it under Settings >> System Settings >> Plugins.

2

hashtag
Ingest logs (recommended: Log Source Template)

Logpoint recommends using a Log Source Template to receive normalized logs.

See: Creating Log Source via a Templatearrow-up-right

3

hashtag
Or ingest using a Device

(See next stepper for the detailed device workflow.)

4

hashtag
Configure / verify

After setting up and configuring the integration, check:

  • Normalized Keys-Value Pairs/Vendor Field Mapping

  • Label Packages

chevron-rightCheck Installed Integrationshashtag

  1. In the Navigation Bar, click System Settings.

  2. Click Applications.

  3. Search for the integration or use the column headers to filter the list.

chevron-rightDownloading and Installinghashtag

  1. Download the .pak file from the Service Desk.arrow-up-right

  2. Go to Settings >> System Settings from the navigation bar and click Applications.

  3. Click Import.

  4. Browse to the downloaded .pak file.

  5. Click Upload.

  6. After installing it, you can find it under Settings >> System Settings >> Plugin

hashtag
Use Log Source Template to Ingest Logs

You must create a log source using the log source template to receive the normalized Linux logs. Go to Creating Log Source via a Templatearrow-up-right to learn more.

hashtag
Use Devices to Ingest Logs

To use a device there are several steps. The high-level workflow:

1. Configure a Repo

2. Add a Normalization Policy

3. Configure a Processing Policy

4. Adding Unix as a Device

5. Configure a Fetcher or Collector.

6. Compare your ingested logs with the log sample.

chevron-rightConfigure a Repohashtag

Repos are locations where incoming logs are stored.

  1. Go to Settings >> Configuration from the navigation bar and click Repos.

  2. Click Add.

  3. Enter a Repo Name.

  4. Select a Repo Path to store incoming logs.

  5. Set a Retention Day to keep logs in a repository before they are automatically deleted.

circle-info

You can add and remove multiple Repo Path and Retention Day.

  1. Select a Remote LogPoint and set a Available for (day).

  2. Click Submit.

chevron-rightAdd a Normalization Policyhashtag

  • Go to Settings >> Configuration and click Normalization Policies.

  • Click Add.

  • Enter a Policy Name.

  • Select the required Compiled Normalizers and Normalization Packages.

  • Click Submit.

circle-info

Unix uses the following normalizers:

Normalization Packages

  • LP_Unix Dovecot

  • LP_Unix Scponly

  • LP_Unix Nullmailer

  • LP_Unix Iptables

  • LP_Unix Syscall

  • LP_Unix Ftpd

  • LP_Unix Zookeeper

  • LP_Unix Vasd

  • LP_Unix Etcd

  • LP_Unix Rtkit

  • LP_Unix SQL Query

  • LP_Unix clurgmgrd

  • LP_Unix Iptables

  • LP_Unix Logger

  • LP_Unix Ftp

  • LP_Unix Xntpd

  • LP_Unix Redis Server

  • LP_Unix Chkpwd

  • LP_Unix IPsec

  • LP_Unix Kubelet

  • LP_Unix Generic

  • LP_Unix adcli

  • LP_Unix Dockerd

  • LP_Unix Chef Client

  • LP_Unix SNMP Traps

  • LP_Unix Auditd

  • LP_Unix Crond

  • LP_Unix Pure Ftpd

  • LP_Unix Inetd

  • LP_Unix SNMP

  • LP_Unix Dhclient

  • LP_Unix Cron

  • LP_Unix Infinity

  • LP_Unix Vparmodify

  • LP_Unix VS Ftpd

  • LP_Unix Rsandbox

  • LP_Unix Runuser

  • LP_Unix Devd

  • LP_Unix Proftpd

  • LP_Solaris OS

  • LP_Unix SSL Proxy

  • LP_Unix SCC

  • LP_Unix Audispd

  • LP_UNIX NFS

  • LP_Unix nslcd

  • LP_Unix Httpd

  • LP_Unix Mountd

  • LP_Unix dnsmasq

  • LP_Unix Run-parts

  • LP_Unix Kafka

  • LP_Unix Ipmserver

  • LP_Unix check nrpe

  • LP_Unix Anacron

  • LP_Unix php

  • LP_Unix Xpand

  • LP_Unix Routed

  • LP_Unix Bash

  • LP_UNIX Nscd

  • LP_Unix Lvm

  • LP_Unix Pengine

  • LP_Unix Stonith NG

  • LP_Unix Goferd

  • LP_Unix Nagios

  • LP_Unix IPMIEVD

  • LP_Unix SAP

  • LP_Unix Vmunix

  • LP_Unix Savd

  • LP_Unix Winbindd

  • LP_Unix Syslog NG

  • LP_Unix SU

  • LP_Unix l4d

  • LP_Unix Rsyslogd

  • LP_Unix Rhnsd

  • LP_Unix puppet-agent

  • LP_Unix Suhosin

  • LP_Unix Sudo

  • LP_Unix ptymonitor

  • LP_Unix Sfd

  • LP_Unix Smbd

  • LP_Unix passwd

  • LP_Unix sssd

  • LP_Unix Lrmd

  • LP_Unix InotifyWait

  • LP_Unix UCARP

  • LP_Red Hat Linux

  • LP_Unix rear

  • LP_Unix NTPD

  • LP_Unix RpcMountd

  • LP_Unix Lighttpd

  • LP_Unix Cimserver

  • LP_Unix Cmclconfd

  • LP_Unix Lvmpud

  • LP_Unix NS

  • LP_Unix ndo2db

  • LP_Kernel

  • LP_Unix Agetty

  • LP_Unix Sudoscriptd

  • LP_Docker

  • LP_Unix Rshd

  • LP_Unix xinetd

  • LP_Unix SSHD

  • LP_Unix Cifs Upcall

  • LP_Unix Auditlog

  • LP_Unix Sftp Server

  • LP_Unix rgmanager

  • LP_Unix PAM Tally

  • LP_Unix subscription-manager

  • LP_Unix Syslogd

  • LP_Common Unix System

  • LP_Unix Systemd

  • LP_Unix Yum

  • LP_Unix Snmpd

  • LP_Unix Named

  • LP_Unix Newrelic Infra

  • LP_Unix Crmd

  • LP_Dell Data Domain

Compiled Normalizers

  • UnixSysmonCompiledNormalizer

  • UnixCompiledNormalizer

  • UnixAuditLogNormalizer

chevron-rightConfiguring a Processing Policyhashtag

  1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

  2. Click Add .

  3. Enter a Policy Name.

  4. Select the previously created Normalization Policy.

  5. Select the Enrichment Policy.

  6. Select the Routing Policy.

  7. Click Submit.

chevron-rightAdding Unix as a Devicehashtag

  1. Go to Settings>>Configuration from the navigation bar and click Devices.

  2. Click Add.

  3. Enter a device Name.

  4. Enter the Unix server IP address(es).

  5. Select the Device Groups.

  6. Select an appropriate Log Collection Policy for the logs.

  7. Select a collector or a forwarder from the Distributed Collector drop-down.

circle-info

It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.

  1. Select a Time Zone. The timezone of the device must be same as its log source.

  2. Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.

  3. Click Submit.

chevron-rightConfiguring a Collector or Fetcherhashtag

Unix uses the Syslog Collector.

  1. Go to Settings>>Configuration from the navigation bar and click Devices.

  2. Click the Add icon from Actions of the previously added device.

  3. Click Syslog Collector.

circle-info

You can select a different collector depending on your requirements and added device. To learn more about available collectors go to collectorsarrow-up-right. If you require assistance, contact our support teamarrow-up-right.

  1. Select Syslog Parser as Parser.

  2. Select the previously created Processing Policy.

  3. Select the Charset.

  4. In Proxy Server, select None

  5. Click Submit.

hashtag
Labels

Labels are key-value pairs assigned to log fields after parsing. They are used to categorize, enrich, and structure logs for easier search, correlation, and visualization. Labels also normalize vendor-specific logs to a unified searchable format.

Logpoint applies labels via:

  • Label Packages

  • Normalization Signatures

  • Labeling Rules

Activate vendor label packages via Settings >> Knowledge Base >> Label Packages.

chevron-rightLP_Unix Labelshashtag
Labels
Description

Cron, Job

Events with the pam_unix(cron:session) message.

Cron, Job

Events with the /USR/SBIN/CRON message.

Cron, Job

Events with the CRON or cron process.

NSCD

Events with the nscd process.

Successful

Events with the Successful, Success, or Login successful status.

Fail

Events with the Failed, Fail, or Login failed status.

Login

Events with the object in authentication, keyboardinteractive/pam, publickey, or password.

User, Login, Successful

Events with the Accepted Password, Accepted publickey, or Session opened.

User, Login, Fail

Events with the Authentication Failure or Failed Password.

User, Logoff

Events with the Session closed message.

User, Account, Management, Password, Change

Events with the Password changed message.

User, Account, Management, Remove

Events with the Delete user message.

User, Account, Management, Create

Events with the A new user message.

Privilege, Access

Events with the sudo or su process.

Service, Start

Events with the Starting or Start action for all Unix services.

Service, Restart

Events with the Re-starting, Restarting, or Restart action for all Unix services.

Service, Stop

Events with the Stop or Stopping action for all Unix services.

FTP

Events with the ftp or ftpd process.

ssh

Events with the sshd process.

Command, Execute

Events with the Unix command.

Remove

Events with the Delete or Deleted action.

Modify

Events with the Replace action.

Start, Change, Edit

Events with the Beign Edit action.

Add

Events with the Account added action.

Remove

Events with the Account removed action.

chevron-rightLP_Unix SSHD labelshashtag
Labels
Description

Session, Close

Events with the closed action or the closed status.

Session, Open

Events with the opened action or the opened status.

chevron-rightLP_Common Unix Systems Labelshashtag
Labels
Description

Open

Events with the opened message.

Close

Events with the closed action

Add

Events with the added action.

Delete

Events with the deleted action.

User, Delete

Events with the userdel process.

User, Add

Events with the useradd process.

Add

Events with the account added action.

Remove

Events with the removed action.

Successful

Events with the successful status.

Fail

Events with the failed status.

chevron-rightLabels available in LP_Unix Systemdhashtag
Labels
Description

Session, Start

Session start events.

chevron-rightAdding the Labelshashtag

  1. Go to Settings >> Knowledge Base and click Label Packages.

  2. Under Vendor Label Packages, click the Activate Label Package icon.

  3. Click the Manage Labels icon to view the Search Labels.

hashtag
Expected Log Samples

The log sample depends on the Unix product.

chevron-rightUnix Nullmailerhashtag
chevron-rightUnix Scponlyhashtag
chevron-rightUnix Dovecothashtag
chevron-rightIPtablehashtag
chevron-rightMeinberg NTP Serverhashtag
chevron-rightUnix Sysmonhashtag
chevron-rightUnix Xrdphashtag

Aug 29 15:33:13 xxxxx named[464]: client 1.1.1.1#1036: query (cache) denied

chevron-rightUnix Solaris OS (xrdp)hashtag
chevron-rightUnix Log — Expected Log Format hashtag

Expected Log Format

Modified Log Format

Example

chevron-rightCommon Unix Systemhashtag
chevron-rightUnix SSHDhashtag
chevron-rightUnix Cronhashtag

Jul 23 06:27:39 xxxxx? su[9233]: FAILED su for xxxxx by xxxxx

chevron-rightUnix SUhashtag
chevron-rightUnix Sudohashtag

<85>Apr 19 08:58:13 xxxxx sudo: pam_unix(sudo:auth): authentication failure; logname=xxxxx uid=603 euid=0 tty=/dev/pts/0 ruser=xxxxx rhost= user=xxxxx

chevron-rightUnix Crondhashtag
chevron-rightUnix Bashhashtag
chevron-rightUnix Passwdhashtag
chevron-rightUnix Auditd (examples)hashtag

Unix Auditd Enriched

Unix Bash (Example)

chevron-rightUnix Runuserhashtag
chevron-rightUnix Smbdhashtag
chevron-rightUnix Systemdhashtag
circle-info

We do our best to ensure that the content we provide is complete, accurate and up to date. Logpoint makes no representations or warranties of any kind, express or implied about the documentation. We update it on a best-effort basis.

Last updated

Was this helpful?