circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Log Source Templates

Log Source Templates provide predefined configurations for collecting and normalizing logs from common devices, applications, and services. Each template includes the required parsing logic, field mappings, and expected log formats. By using Log Source Templates, onboard new log sources faster, reduce configuration errors, and ensure that security-relevant events are normalized into a common data model.

You must have Read, Create, and Delete permissions of Devices, DeviceGroups, Log Collection Policy, and Parsers to configure Log Sources.

Log source templates are made up of:

  • Source: Where the logs come from.

  • Connector: Defines the connection between the log source and Logpoint. A collector retrieves logs from the source and buffers them. It receives logs through specific ports and/or forwards them to a Logpoint Storage Node. The collector uses a normalizer to split each log message into key-value pairs and apply static enrichment during processing.

  • Routing: The repositories (repos) where logs are stored. This includes routing criteria to direct logs to the correct destinations. Routing specifies which repository on a specific device should store incoming log data based on a log message's key or key-value pair.

  • Normalization: Assigns normalizers to standardize log formats. Normalization translates a raw log message into the Logpoint taxonomy. Raw log messages originate from different source devices in various formats. Normalizing enables searches and the identification of patterns and correlations across log messages from different log sources. For example, different firewall vendors may label fields in logs differently, or not label them at all. Normalization takes various input fields, like source, or third field from the left, and normalizes them into the standard field name source_address.

    Logpoint uses two types of normalizers:

    • Compiled Normalizers: Hard-coded and fast.

    • Normalization Packages: Contain one or more normalizers that use regex or signatures to find and extract key-value pairs from raw logs. Use signature-based normalizers on raw logs that are not well-defined.

  • Enrichment: Apply enrichment policies. Enrichment adds metadata from an enrichment source to log events that were not present in the log message. Enriched fields in Logpoint logs are red.

    Two types of enrichment:

    • Static: Applied at data ingestion (collection or storage). Static enrichment is indexed, which makes queries over large datasets run faster.

    • Dynamic: Applied during analysis or when a query runs. Useful for lookups that are only possible after logs have been received (for example, from a threat intelligence table). Dynamic enrichment uses less storage than static enrichment and is well-suited to small datasets and short time ranges.

  • Endpoints (Conditional): For log sources that require specific endpoint settings.

  • Queries (Conditional): SQL queries to extract targeted log data from an SQL Server.

hashtag
Available Templates

chevron-rightSyslog Collector-Based Templates hashtag

  • A10 Networks

  • ActivTrak

  • Apache

  • Aruba

  • Barracuda

  • BitDefender

  • BlueCoat

  • Broadcom CA

  • CarbonBlack

  • CAS Server

  • Centrify

  • Check Point

  • Cisco

  • CiscoEmail

  • CrowdStrike

  • CyberArk

  • Cyberlytic

  • Cylance

  • Darktrace

  • Dell

  • DenyAll

  • ESET

  • Exim

  • EximEmail

  • F5

  • Forcepoint

  • Forescout

  • Fortigate

  • FSecure

  • IBM AIX

  • IIS

  • InfoBlox

  • Juniper

  • Kaspersky

  • Linux

  • Microsoft Exchange Server

  • Microsoft SQL Server

  • Mod Security

  • Netscaler

  • Nginx

  • Oracle

  • PaloAlto

  • PfSense Firewall

  • Proofpoint

  • Samba

  • Sophos General

  • StoneSoft

  • StormShield

  • Suricata

  • Trellix McAfee

  • Trend Micro

  • TrustWave

  • Varonis

  • Vectra

  • Veritas

  • VMWare

  • Wallix

  • WatchGuard

  • Web Analytics

  • Windows

  • Zeek

  • Zscaler

chevron-rightUniversal REST API Fetcher-Based Templates hashtag

  • DuoSecurityFetcher

  • Trellix

  • Sophos

  • Okta

  • CiscoAMP

  • MailinBlack

  • Microsoft Defender ATP

chevron-rightAzure Log Analytics Fetcher-Based Templatehashtag

  • AzureLogAnalytics

chevron-rightCloudWatch Fetcher-Based Templatehashtag

  • CloudWatch

chevron-rightS3 Fetcher-Based Templateshashtag

  • S3

  • VPCFlowLog

  • CloudTrail

  • MysqlRDS

chevron-rightEvent Hubs Collector-Based Templatehashtag

  • EventHubs

chevron-rightCisco Umbrella Fetcher-Based Templateshashtag

  • CiscoUmbrella

chevron-rightGCP Collector-based Templatehashtag

  • GoogleCloudPlatform

chevron-rightG Suite Fetcher-Based Templateshashtag

  • GoogleWorkspace

chevron-rightSalesforce Fetcher-Based Templateshashtag

  • Salesforce

hashtag
Creating Log Source via a Template

For Syslog Collector-based templates, you can create a log source by entering device addresses and adding a repo, while other information is optional to add. If you want to configure additional information, go to Syslog Collector.

chevron-rightCreating Log Sourcehashtag

  1. Go to Settings >> Log Sources in the navigation bar and click Add Log Source.

  2. Click the log source template for an integration.

  3. Enter the Device Addresses.

  4. Click Routing.

  5. Select Repo from the drop-down or create a repo.

  6. Click Create Log Source to save the configuration.

hashtag
Creating a Template

Create new templates from previously created log sources and export them. These templates can later be imported into Log Source and used to configure the same or a different source.

chevron-rightCreate a New Templatehashtag

  1. Go to Settings >> Log Sources in the navigation bar.

  2. Click the more icon for the log source.

  3. Select Edit Log Source.

  4. Click the more icon and click Configure Template.

  5. Configure the template and click Save as Template.

To find the created template, go to Settings >> Log Sources and click Add Log Source.

To use the created template as a log source, click the template and click Save Configuration. The template is now saved as a log source. However, Logpoint must have the normalizers and repos used in the template. If the repos are not there, you must either create repos with the same names or select different ones. For normalizers, you can either install the normalizer or deselect it. If Logpoint does not have the signature-based normalization package used in the imported template, Log source automatically installs it.

chevron-rightUpdating Template Configurationhashtag

  1. Go to Settings >> Log Sources in the navigation bar.

  2. Click Add Log Source.

  3. Click the more icon for the Log Source Template.

  4. Click Edit Template.

  5. Make the required changes and click Save Template.

    1. To save the changes in a new template, enter a new name for the template and click Clone and Save as New Template.

    2. To save the changes in the same template, click Update Template.

You can also update the log source configurations created with this template. Select the log sources to update and click Update Log Sources.

chevron-rightFor the Universal REST API, the following entities are updated:hashtag

  • Fetch Interval (min)

  • Request Timeout (secs)

  • Retry After (secs)

  • Charset

  • Custom Headers

  • Enforce HTTPS Certificate Verification

  • Normalizer

  • Logo

  • Description

  • Vendor Name

chevron-rightFor Syslog Collector, the following entities are updated:hashtag

  • Parser

  • Confidentiality

  • Integrity

  • Availability

  • Normalizer

  • Logo

  • Description

  • Vendor Name

  • Normalization

circle-info

If a normalizer is outdated, it is dimmed in the list. You must download the latest version.

  1. Go to the service deskarrow-up-right, find the normalizer, and download it.

  2. Go to Settings >> System Settings in the navigation bar and click Applications.

  3. Click Import.

  4. Browse to the downloaded .pak file and click Upload.

chevron-rightUpdating Templatehashtag

  1. Go to the Log source and click Update Available. It is displayed only if the template used to create the log source has been updated.

  2. Select the Log Source and click Update Log Sources.

hashtag
Exporting Template

During export, all custom normalization packages in the template are also exported. For vendor normalization packages, only their metadata (name, version, and vid) is exported.

You must first configure the Log Source and save it as a template for export.

chevron-rightTo export a Log Source template:hashtag

  1. Go to Settings >> Log Sources from the navigation bar and click Add Log Source.

  2. Click the more icon, then select Edit Template.

  3. Click the more icon, then select Configure Template.

  4. Click Export Template.

hashtag
Importing Template

chevron-rightTo import a Log Source template:hashtag

  1. Go to Settings >> Log Sources in the navigation bar and click Add Log Source.

  2. Click Import Templates.

  3. Browse to the exported .pak file.

  4. Click OK.

Go to Settings >> Log Sources to find the imported template. If a template with the same name as the imported template exists, you must change it. In Choose new names, enter a new name for the template and click OK.

If you create a Log Source with an imported template consisting of a custom normalization package, the package is automatically created in your Logpoint. In the case of name conflict, the suffix “_1” is added to the custom package.

For vendor normalization packages, if your Logpoint has the same or a newer version of the vendor normalization package, the newer version is automatically selected. If your Logpoint is running an older version or does not have the required package, you must download and install the latest package from the Service Deskarrow-up-right.

chevron-rightDeleting Templatehashtag

  1. Go to Settings >> Log Sources in the navigation bar and click Add Log Sources.

  2. Click the more icon for the Log Source and click Delete Template.

  3. Click Delete.

Last updated

Was this helpful?