circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Configuring Log Sources

When you configure a Log Source, you define how logs are delivered to Logpoint. Logpoint supports multiple log collection methods, with Syslog Collector and Universal REST API being the most widely used.

The Syslog Collector is used for sources that send logs using the syslog protocol, such as network devices, operating systems, and many on-premise applications. It listens for incoming syslog messages and forwards them to Logpoint. The associated Log Source determines how these messages are identified, parsed, stored, and made available for search, detection, and reporting.

The Universal REST API is used for sources that send logs over HTTPS, typically in JSON format. This method is commonly used by cloud services, SaaS platforms, and custom applications that do not support syslog. Logs received via the API are processed the same way as syslog data, based on the Log Source configuration.

hashtag
Configuring Syslog Collector

  1. Go to Settings >> Log Sources from the navigation bar and click Add Log Source.

  2. Click Create New and select Syslog Collector.

chevron-rightSourcehashtag

Add details about the log source from where the Syslog Collector fetches logs.

  1. Click Source.

  2. Enter Log Source’s Name.

  3. Enter Device Addresses. Device addresses are IP addresses or hostnames of the device whose logs to monitor.

  4. Select the Device Groups.

  5. Select a Time Zone.

  6. Enter the Inactivity Threshold in minutes. It specifies the time after which to mark a log source as inactive in Last Log Received under Settings >> Log Source if no logs are received. Enter a value from 5 to 525600.

  7. Configure the Risk values for Confidentiality, Integrity, and Availability used to calculate alert risk levels generated by the device.

chevron-rightConnectorhashtag

Configure how the Syslog Collector and the log source communicate.

  1. Click Connector.

  2. In Proxy Server, select

    1. None for the device to work as a Syslog Collector.

      1. Select Parser and Charset.

      2. If you use a distributed Logpoint, select a collector/forwarder from the Distributed Collector dropdown.

    2. Use as a Proxy to use the device as a proxy.

      1. Select Parser and Charset.

      2. If you use a distributed Logpoint, select a collector/forwarder from the Distributed Collector dropdown.

    3. Uses Proxy, enabling the device to use a proxy to collect logs.

      1. If you use a distributed Logpoint, select a collector/forwarder from the Distributed Collector dropdown.

      2. Select a Proxy IP address of a proxy device and enter the Hostname of the source, which is case-sensitive.

chevron-rightRoutinghashtag

Create repos and routing criteria. Repos are locations where incoming logs are stored and routing criteria is created to determine the conditions under which these logs are sent to repos.

To create a repo:

  1. Click Routing and + Create Repo.

  2. Enter a Repo name.

  3. Enter the location in Path to store incoming logs.

  4. In Retention (Days), enter the number of days logs are kept in a repository before they are automatically deleted. The retention days must be at least 2 days.

  5. In Availability, select the Remote logpoint and Retention (Days).

  6. Click Create Repo.

  7. In Repo, select the created repo to store logs.

To create a Routing Criteria:

  1. Click + Add row.

  2. Enter a Key and Value. The routing criteria is only applied to those logs which have this key value pair.

  3. Select an Operation for logs that have this key value pair.

    1. Select Store raw message to store both the incoming and the normalized logs in the selected repo.

    2. Select Discard raw message to discard the incoming logs and store the normalized ones.

    3. Select Discard entire event to discard both the incoming and the normalized logs.

  4. In Repository, select a repo to store logs.

  5. Click the delete icon under Action to delete the created routing criteria.

chevron-rightNormalizationhashtag

Select normalizers for the incoming logs. Normalizers transform incoming logs into a standardized format to enable consistent, efficient analysis.

  1. Click Normalization.

  2. You can either select a previously created normalization policy from the Select Normalization Policy dropdown or select a Normalizer from the list and click the swap icon.

chevron-rightEnrichmenthashtag

Select an enrichment policy for the incoming logs. Enrichment policies are used to add additional information to a log, such as user information, device type or geolocation, before analyzing it. For more information on enrichment, go to Enrichment Policies.

  1. Click Enrichment.

  2. Select an Enrichment Policy.

  1. Click Create Log Source to save the configurations of Source, Connector, Routing, Normalization, and Enrichment.

hashtag
Managing Log Sources

Managing Log Sources lets you update or remove existing configurations as your environment changes. Editing a Log Source allows you to adjust settings such as endpoints, identifiers, or thresholds, while deleting a Log Source removes it from active log collection.

chevron-rightEditing Log Sourcehashtag

When editing a logsource used as a proxy server by Devices, you must change the proxy configuration.

  1. Go to Settings >> Log Sources in the navigation bar.

  2. Click the log source and then Edit Log Source.

  3. Make the necessary changes and click Save Log Source.

chevron-rightDeleting Log Sourcehashtag

When deleting a log source used as a proxy server by Devices, you must change the proxy configuration.

  1. Go to Settings >> Log Sources in the navigation bar.

  2. Click the More icon for the log source, then click Delete Log Source.

  3. Click Delete.

Last updated

Was this helpful?