System Settings allows you to configure all system-related settings to ensure optimal performance, security, and connectivity. You can manage the following core configurations from it:
SMTP: Set up an SMTP server to enable email notifications for alerts and system events.
NTP: Configure Network Time Protocol (NTP) settings to keep Logpoint’s system clock synchronized with an external time server.
SNMP : Monitor various metrics of Logpoint.
HTTPS: Enforce secure HTTPS access to Logpoint to protect data transmissions.
General: Update system-wide configurations, including hostname and administrative details.
Syslog: Add a custom TLS (Transport Layer Security) certificate to enable secure log collection
Support Connection: Enable encrypted remote support access to Logpoint support for troubleshooting and assistance.
Modes of Operation: Configure Logpoint as a log collector or syslog forwarder for efficient log ingestion and forwarding.
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select General.
Enter a unique Logpoint Name. If you have the same names in different Logpoint, you cannot configure Distributed Logpoint.
Enter a browser tab title to append to the existing tab title.
Enter or update the Server Alias. Updating it does not change the Logpoint IP Address or the DNS.
The Identifier is the unique value given to each Logpoint.
Important
Modes is for a future Logpoint Director (Director Console) release. Do not use.
Select the Default Login Screen for Logpoint.
Enter a Timeout (minutes) duration after which Logpoint users are logged out.
In Base Repo Path for High Availability, enter the path to store the logs for the configured repos temporarily. The default path for the repos from the remote machine is /opt/immune/storage/. If the Distributed Logpoint is disconnected, logs are saved in the highavailability folder inside the specified path (<path>/highavailability/<repo_name>). Once the connection is restored, logs are sent to the Distributed Logpoint and deleted from the highavailability folder. In the Distributed Logpoint, logs and indexes are stored in /opt/immune/storage/log, and /opt/immune/storage/indexes respectively.
In Apply Time Range On, select either Collection Timestamp (col_ts) or Log Timestamp (log_ts). The col_ts is the time when the log was collected in Logpoint, and the log_ts is the time when a device generated the log. The time conversion of log_ts occurs when a Normalization Policy is applied to the relevant Collectors/Fetchers. Either log_ts or col_ts is displayed on the top of each row of the search results in addition to the search graph, depending on what you selected. Search results have both.
Select an Over Scan Period (in minutes) and a Time Zone. The overscan period is time added to a log search. Collection and Log Timestamps are displayed in the timezone you selected according to UTC. The Time Range is applied to either the Collection Timestamp or the Log Timestamp across all Distributed Logpoints.
Select a Time Zone.
In SOAR, select Enable SOAR in Logpoint to enable incident investigation with Playbooks and Cases. Go to Getting Started with SOAR for details. Enabling or disabling SOAR may take some time depending on available memory. SOAR is always disabled in the Logpoint Collector and Syslog Forwarder modes.
In Usage Data, Logpoint collects and analyzes anonymized usage data by default. However, it does not collect Personally Identifiable Information (PII) data. Deselect Share Usage Data to not share your usage data.
General - System Settings¶
Click Save Changes.
SMTP (Simple Mail Transfer Protocol) is a communication protocol used for sending emails of Logpoint alerts and incidents. If your mail server supports encryption, StartTLS encrypts the connection and sends emails in encrypted format. You will also need to configure SMTP before using the Data Privacy Module.
To configure SMTP:
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select SMTP.
In Server/Port, enter the IP address and port number of your mail server.
Enter Sender Name and an Email address.
By default, Logpoint uses opportunistic TLS, which encrypts emails only if supported by your mail server. Select SSL/TLS to use enforced StartTLS to ensure secure email transmission. Emails are not sent if the connection is not encrypted.
If you are using a private mail server, click Browse and upload the certificate signed by a private CA in Certificate. To use a public CA, leave the field blank.
If you select Login Required, enter Username and Password.
SMTP - System Settings¶
Click Save Changes.
To test the configuration:
Click Test SMTP.
Enter the Subject of the test e-mail.
Enter an Email address.
Enter a Message.
Click Test SMTP. The email is sent within 20 seconds.
SNMP Test¶
NTP synchronizes the time of your Logpoint with a network timeserver.
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select NTP.
Enable NTP to ensure synced and correct time across Logpoint servers and devices for consistent log analysis.
Enter the Server address. You can add multiple server addresses by clicking the plus icon.
NTP - System Settings¶
Click Save Changes.
SNMP allows you to monitor various metrics of Logpoint. To see the list of metrics you can monitor by enabling SNMP, go to SNMP Monitoring. If you enable SNMP, your Logpoint listens to the OIDs that are forwarded to the 161 port.
To enable SNMP:
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select SNMP.
Turn on SNMPD Port.
Enter a Community String. The SNMP community string in Logpoint is a read-only community string that authenticates Logpoint. Use this community string in your SNMP clients to query Logpoint and retrieve information.
SNMP - System Settings¶
Click Save Changes.
Logpoint provides a default self-signed SSL (Secure Sockets Layer) certificate, which allows secure data transfer to and from Logpoint. You can generate and upload custom SSL certificates for your organization. The certificate must be 2048 bits, PEM-encoded (X.509 standard), and have a .crt or .pem extension, and the key file must have a .key extension. Encrypted certificates are not supported.
In HTTPS, you can generate the private key:
openssl genrsa -out private.key 2048
To create the custom signed certificate:
openssl req -new -sha256 -key private.key -out logpointserver.csr
The self-signed or generated SSL certificates cannot be authenticated by any existing known root certificate authorities, leading to SSL certificate error in browsers. To ensure browsers and applications can verify the certificate’s authenticity, use a Public Key Infrastructure (PKI) based setup where certificates are issued and verified by a trusted Certificate Authority (CA). For information on certificates, go to SSL Certificate.
To upload the certificate:
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select HTTPS.
Click Browse to find and select the Certificate.
Click Browse to find and select the Key.
Click Save Changes.
HTTPS - System Settings¶
Syslog settings allow you to add a custom TLS (Transport Layer Security) certificate to enable secure log collection via Syslog. The syslog collector uses this certificate to maintain the confidentiality and authenticity of the logs transmitted on port 6514. For information on how to generate the custom certificate and key, go to HTTPS.
To add the certificate:
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select Syslog.
Click Browse to upload the custom TLS Certificate and Key.
Enable Add sequence numbers on log received from syslog collector to provide a sequence number to the syslogs. The number is assigned on a device per protocol basis to each log collected from the Syslog Collector.
In Message length, enter the size for Syslog messages. Syslog message contains information about the log, such as timestamp, severity, facility, and description. The maximum message size can be 64 KB, with a default size of 12 KB. Any message that exceeds the maximum size is divided into multiple events and shortened at the defined size. For example, if the message length is 40 KB, logs larger than that size are grouped into 40 KB segments.
Enable Accept logs from Unregistered Log Sources to accept unregistered logs from any syslog source. The received logs are normalized using _default_syslog normalization policy and stored in the default repo.
Syslog TLS - System Settings¶
Click Save Changes.
Support Connection creates an encrypted end-to-end communication channel between Logpoint and Logpoint support. It is used by Logpoint Support to understand, troubleshoot, and fix the issues on your deployment issues. For support connection using the console, run the start-support command. Then, use the ifconfig command to get the IPv4 address from the tap0 interface.
Before enabling support connection, make sure that your firewall is not blocking the connection from your Logpoint to the following:
Domain |
Port |
|---|---|
reverse.logpoint.com |
1193/UDP |
customer.logpoint.com |
443/TCP |
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select Support Connection.
You must turn on Enable Support Connection for Logpoint to start retrieving the support connection IP. If the Support Connection IP is unavailable, click Refetch.
Enter the retrieved support connection IP to the Logpoint Support team.
Enter the Support Connection Enable Duration. The support session expires after it exceeds the duration. Support connection never expires if you select 0:0:0 as the time duration, or Enable Support Connection Forever.
Retrieved Support Connection IP¶
Click Save Changes.
Modes of Operation allows you to convert a standard Logpoint into a Logpoint Collector or a Syslog Forwarder. This flexibility enables tailored configurations for effective log collection and forwarding across distributed environments.
Logpoint Collector collects logs from different sources, normalizes them using the signatures applied, and forwards them to a configured remote Logpoint. The remote Logpoint configures the sources and the storage locations for the logs. Logpoint Collector does not contain Dashboards, Search, Report, and Logpoint SOAR as it only collects logs. The name of each Logpoint node must be unique in a distributed deployment.
You need at least two Logpoint servers, one as the Collector and another as the Main Logpoint.
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select Modes of Operation.
In LOGPOINT COLLECTOR CONFIGURATION, select Is this a Logpoint Collector installation?.
Click Enable Buffering to store the data in local persistence storage during a network outage. By default, the logs are stored in the buffer for 7 days. To change the default retention period, contact Logpoint Support.
Configuring Logpoint Collector¶
Click Save Changes.
Switch to the Main Logpoint.
6.1. Go to Settings >> System Settings from the navigation bar and click Open Door.
6.2. Enable Open Door.
6.3. Note the Private IP and the Password.
Enabling Open Door¶
Switch to the Collector Logpoint.
7.1. Go to Settings >> Configuration from the navigation bar and click Remote Logpoint.
7.2. Enter the IP Address of the Main Logpoint, the Password, and the Private IP.
Configuring Remote Logpoint¶
The Collector is added under Settings >> Configuration from the navigation bar. Click Distributed Collector in the Main Logpoint and activate it from the Actions column.
Configured Collector setting in Main LP¶
You can use Logpoint Collector to collect logs by adding it as a device in the main Logpoint. Main Logpoint is primarily used to create dashboards, monitor, configure, and analyze the logs on connected Logpoints.
In Main Logpoint, go to Settings >> Configuration from the navigation bar and click Devices.
Click ADD.
Specify the Collector as a Distributed Collector.
To verify the connection between the devices, switch to the Collector Logpoint. Go to View Devices from the navigation bar.
Device Setting - View Devices¶
To distinguish logs collected and normalized through the Collector, you can use the system defined field, collected_at in the search query. If you disable Collector, remove it from the list of devices on main Logpoint. If you change the password in Collector from Settings >> Remote Logpoint, all the services of the Collector will restart. The logs are not collected until the Collectors and Fetchers are up and running.
Syslog Forwarder collects logs from different sources, normalizes them using the signatures applied, and forwards them to a configured Logpoints and a target storage. Unlike Logpoint Collectors, Syslog Forwarder can not act as a buffer.
Syslog Forwarder was implemented to introduce the concept of Air Gap. The main Logpoints are usually located in high-security zones whereas Syslog Forwarders and other devices are in low-security zones.
Go to Settings >> System settings from the navigation bar and click System Settings.
Select Modes of Operation.
In SYSLOG FORWARDER, select the Is this a Syslog Forwarder installation?.
Modes of Operation - Syslog Forwarder¶
Click Save Changes.
To use a Syslog Forwarder after converting it, you need to:
Export a config file
Import the config file
Add target
Add devices
Exporting a config file
Switch to the Main Logpoint and go to Settings >> Configuration from the navigation bar and click Distributed Logpoints.
Add a Syslog Forwarder. Go to Adding a Syslog Forwarder for more information.
Click the Export configuration icon (
) in the Actions column. The config file is downloaded on your machine.
Importing the config file
Switch to the Syslog Forwarder and go to Settings >> System Settings from the navigation bar and click Sync.
Sync config file¶
Click Import Data.
Import config file¶
Browse for the config file saved earlier.
Click Upload.
Adding a Target
Targets are Logpoints that receive logs from Syslog Forwarder.
On the Syslog Forwarder, go to Settings >> Configuration from the navigation bar and click Syslog Forwarder.
Click Targets.
Remote Target¶
Click Add IP.
Enter the Name and IP address of the target.
Enter the Pattern of the logs to be forwarded. If you do not specify a pattern, all the logs are forwarded.
Enter a Port number for the input port of the remote target machine.
Select Enable UDP to use the User Datagram Protocol (UDP). If you do not select it, TCP is used.
If you Enable UDP, choose the UDP Size (In Bytes).
Add IP¶
Click Submit.
Adding a Target Storage
Target storage enables airgap in low-security zones. You can add multiple Remote Targets but only one Target Storage. Add Storage is dimmed once the configuration for a target is complete. For each IP added as the Remote Target, add Syslog Forwarder in the respective target Logpoint.
On the Syslog Forwarder, go to Settings >> Configuration from the navigation bar and click Syslog Forwarder.
Click Targets. Click Add Storage.
Enter the Name of the storage.
Enter the Path to the remote storage. The format of the path should be:
//<IP Address>/<Path>/
For example: //192.168.2.247/storage/
Enter the Pattern of the logs to be forwarded. If you do not specify a pattern, all the logs are forwarded.
Enter the Username and the Password.
Add Storage¶
Click Submit.
Adding a Device
On Syslog Forwarder, go to Settings >> Configuration from the navigation bar and click Syslog Forwarder.
Click Add. Device lists all the devices configured as the Syslog Forwarder in the Main Logpoint.
Select devices by double-clicking on them.
Enter Remote Target(s). It can be a remote IP or a remote storage.
Click Submit.
Configure Devices¶
The logs stored in storage device contains the device_name=”<end device name>”. Use search query device_name=<end_device_name> to verify the logs from the remote target.
Go to Settings >> Configuration and click on Devices.
Find the Remote Target and click on the “+” icon in Actions.
Select Syslog Forwarder File Fetcher.
Adding Syslog Forwarder File Fetcher¶
Add Syslog Forwarder File Fetcher with following details:
Charset: <desired charset> (utf8 by default)
Remote Path: <add the path of the remote storgae>
Username: <username of remote machine>
Password: <system password of remote machine>
Click Submit.
A Logpoint Administrator can generate SSH certificates for the li-admin.
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select SSH Key Pair for li-admin.
Enter a Passphrase.
Click Regenerate Key Pair.
SSH Key Pair for li-admin¶
The Lockout Policy lets the admin users control user login and password security. After a user is locked out, a User Locked icon appears in the Actions column of the respective user under Settings >> User Accounts from the navigation bar and Users. The Logpoint administrator can unlock the locked users by clicking the icon.
Lockout threshold: The number of failed login attempts that locks a user account. The default is five attempts. You can set the threshold anywhere from 0 to 999, where 0 means a user account is never locked.
After three consecutive failed login attempts, the use of CAPTCHA authentication in addition to the username and password is required. If there are additional unsuccessful login attempts, due to a wrong username, password, or CAPTCHA authentication, and the specified lockout threshold is reached, an account is locked for the specified lockout duration.
Lockout duration: The number of minutes an account remains locked. By default, the lockout duration is 30 minutes. When the lockout duration is over, there is one more login attempt. If this attempt fails, the account is locked for the additional specified lockout period. This process continues until a user logs in with valid credentials. The lockout duration can be between 1 to 99999.
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select Lockout Policy.
Configuring Lockout Policy¶
Select a Lockout threshold from the dropdown. The default is 5.
Enter the Lockout duration. The default is 30 minutes.
Click Save Changes.
Enrichment settings manage data enrichment in Standalone Mode and Enrichment Propagation Mode. In Standalone Mode, all enrichment tasks are conducted on one Logpoint, which handles both adding enrichment sources and performing the enrichment locally. Enrichment Propagation Mode uses multiple Logpoint machines distributed across a network. Go to Enrichment Sources for more information.
Before configuring Enrichment in either of the modes, it is necessary to configure some prerequisites in Logpoint. These essentials include Enrichment Sources, Enrichment Policies, Normalization Policies, and Processing Policies.
Integrations associated with the enrichment sources need to be installed before adding an enrichment source. For example, if you need to add an ODBC enrichment source, the ODBC Enrichment Source integration must be present in the Logpoint.
Enrichment settings manage whether you use Standalone Mode and Enrichment Propagation. To learn how to setup Enrichment, go to Enrichment Sources.
In Standalone Mode, you need to add enrichment sources to Logpoint and perform the enrichment in the same Logpoint. To use enrichment from other Logpoints, see Enrichment Propagation.
Go to Enrichment Sources for details on adding enrichment sources.
Enrichment Propagation uses multiple Logpoints to perform enrichment tasks. A Logpoint machine can be either an enrichment provider or an enrichment subscriber. You must set up a Distributed Logpoint connection to configure Logpoint in the Enrichment Propagation mode.
Enrichment Provider: Collects raw data and shares it with enrichment subscribers. It keeps a list of all the IP Addresses of enrichment subscribers.
Enrichment Subscriber: Receives enrichment data from an enrichment provider to create rules for the enrichment process. It also acts as a bridge between a Logpoint Collector and an enrichment provider. For Enrichment Subscribers, the Enrichment Sources option in
Settings >> Configurationpage is disabled. They have to use the sources of an enrichment provider.You can have any number of enrichment subscribers but only one enrichment provider. One enrichment provider can be connected to:
A single enrichment subscriber
Multiple enrichment subscribers
A single enrichment subscriber connected to a Logpoint Collector
Multiple enrichment subscribers connected to multiple Logpoint Collectors
When setting up Enrichment Propagation, make sure to configure an Enrichment Provider first. After setting up an Enrichment Provider, then setup the Enrichment Subscribers. When setting up an existing Logpoint instance as an Enrichment Subscriber, you need to delete all existing enrichment policies and their dependencies before configuring it as an enrichment subscriber.
While removing the UEBA_ENRICHMENT_POLICY and Threat_Intelligence enrichment policies, remove Threat Intelligence and UEBA PreConfiguration too. After successfully removing the enrichment policies, manually install both the applications in the new enrichment subscriber.
Go to Settings >> System Settings from the navigation bar and click System Settings.
Select Enrichment.
You must select Enrichment Propagation.
Select Enrichment Provider or Enrichment Subscriber. If you select Enrichment Subscriber, choose a Subscription Source, which is the IP address of an enrichment provider from the dropdown menu.
Configuring Enrichment Propagation¶
Click Save Changes.
The following scenario depicts an enrichment process in the Enrichment Propagation mode with a configuration of 2 machines: Machine 1 and Machine 2. In the Standalone Mode, all the above tasks are performed in a single machine.
Select Enrichment Provider in Machine 1 and Enrichment Subscriber in Machine 2.
Add a CSV Enrichment Source to Machine 1 using the data from the following CSV file.
CSV File¶
Add a normalization package containing log signatures to Machine 2.
Add a normalization policy, enrichment policy, and routing policy to Machine 2.
Adding an Enrichment Policy¶
Add a processing policy to incorporate all the policies earlier created and add it to a device.
You can now see the enriched results in the search results of the enrichment subscriber.
Non-enriched log result¶
Enriched log result¶
Click the dropdown menu on the enriched fields to view the different actions.
Actions in enriched results¶
Enrichment Source: Displays the information of the source file the enriched field belongs to.
Participated Fields: Displays the field of a log specified in the enrichment rule to enrich the log.
Actions¶
In the above example, the Participated Field pid has been specified in the earlier created enrichment rule. The enrichment rule matches the value of the pid field in the log to the S.No. field in the source and enriches the log.
