Help Center Logpoint Docs Idea Portal Logpoint.com

Unanswered questions

192 Topics

Kai Gustafson
Kai GustafsonKnown Participant
asked in Design & Architecture

Has anyone tried getting log data from Topdesk in paticulare auditdata

This is a cloud services and looking for a solution to get data to our onprem LP servers. Regards Kai

2
Kai Gustafson
2 days ago
S
Syed Faisal QadriNew Participant
asked in Deployment

search current hash of kaspersky into logpoint

we need to search hash in logpoint of our current endpoint and servers. how we can do that. is there any package we need to install for particular application or anything elsealso we have edr kaspersky and imported its package in logpoint. we are getting teh windows logs only nott he hashes from kaspersky. we need to configure to recieve hashes from kasper sky 

0
S
17 days ago
S
Syed Faisal QadriNew Participant
asked in Use–cases

search current hash into logpoint without adding or connecting with threat feeds

we need to search hash in logpoint of our current endpoint and servers. how we can do that. is there any package we need to install for particular application or anything else.

1
S
17 days ago
Nirmal Unagar
Nirmal UnagarNew Participant
asked in Searching & Analytics

How to extract user from regex in search?

Hello folks, I am attempting to extract data for users who have browsed torrents. I've applied a regex query to match users, but it's returning all users instead of only those matching the regex.Here is a query : "user"=* application=bittorrent | process regex("^[a-zA-Z]\.[a-zA-Z]+\d*\.\d{2}$",user ) If anyone know what I am missing, love to hear. Thanks 

0
Nirmal Unagar
29 days ago
A
alekstaKnown Participant
asked in Normalization & Parsing

Change timestamp on incoming logs

Hi!I’ve several logs that comes in UTC timeformat. My timezone Is UTC + 2. Which mess things up when I perform querys, hunting, analyzing events and taking out reports.My log Exporters often send syslog in UTC timeformat, RFC-compliant behavior.Is It possible to apply any sort of Normalization Package for these incoming logs to fix this?Can I try with some querys that changes the log_ts & col_ts field to UTC +2 timezone? Instead of the default UTC timezone.Thanks

2
A
1 month ago
M
MicropoleKnown Participant
asked in Searching & Analytics

FileShare missing logs

Hi,I need you help form an issue that I have about the FileShare logs. In fact, when a user download the files form fileShare I didn’t have any log to shows downloaded file. In fact I receiving juste the “sycnhronisation” logs :Could you please tell me how can I do to receive the logs from fileshare to show when a user download or copy file ?Thank you in advance for your help :) Regards,Siawash

2
M
1 month ago
markus.nebel@8com.de
markus.nebel@8com.deBrainy
asked in Searching & Analytics

Performance Question: Has the order of search parameters influence on search performance?

Hi everyone!does anyone know if it makes any difference how you order the search parameters in a search query? example:event_id=1234 event_channel="Security"vs.event_channel="Security" event_id=1234  

2
G
1 month ago
M
MicropoleKnown Participant
asked in Use cases

Why this error message ?

Hi,I am trying to create a playbook in order to block an account. However I have an error message thas I can’t undrestand the reason. Could you please tell me why I have this error message ?“Bad/missing Action inputs! Details: Bad rest-action url: /users/...” Thank you in advance.Regads,Siawash

1
N
LogPoint Team
1 month ago
M
MicropoleKnown Participant
asked in Use cases

SOAR Playbook Creation From LogPoint Alerts

Hi,I need your help regarding the SOAR. In fact, I have just started the SOAR and I want to create a playbook From LogPoint alerts in order to block an IP@ or an action. Could please help me ? How can I do that ? Thank you in advance. Regards,Siawash 

1
N
LogPoint Team
2 months ago
U
Uwe PoliakNew Participant
asked in Normalization & Parsing

Windows Server DNS Query Log

Hi all,I have configured my windows 2022 dns server to log dns queries. We need those logs for security and possible forensic reasons. The configuration is done in Windows Event Manager as described in DNS Logging and Diagnostics | Microsoft Learn. We are using LPAgent to collect other logs from this server. The result is an etl file, which cannot be read from the eventlog with im_msvistalog configuration from LPAgent. etl cannot be read with the im_msvistalog plugin of LPAgent. I have read that there is an NXLOG EE plugin im_etw out there which should be able to handle this file type, but we do not have the NXLog Enterprise Subscription. Is there any other option to collect the dns query logs from the server and import them into LogPoint?Is ther e any the best practice to handle windows dns server query logs (without using NXLOG EE)?Kind regardsUwe

3
Nils Krumey
LogPoint Team
2 months ago
Kai Gustafson
Kai GustafsonKnown Participant
asked in Community feedback

When you comment a members reply there can go weeks before admin let your responce true.

Why is your admin’s so slow to approve answers, this is verry bad for people asking about a topic, they lose interest when it seems like no answers or suggestions are given. I have now several times waited for weeks to see my suggestions get through. This should be instant, or you should remove the approve process !!! Best regards Kai

4
Kai Gustafson
3 months ago
A
Alexandru ILIOIUParticipating Frequently
asked in Searching & Analytics

Data privacy on dashboards

I have activated the “Data Privacy” module and configured the fields, concerned groups, etc.I have a dashboard whose query contains one of the “encrypted” fields defined into “data privacy” module. Since activation, the dashboard is not displaying information anymore.There is a way to allow (via request/grant or something else) the dashboard to display the information ? Thanks,Alexandru  

0
A
3 months ago
A
Alexandru ILIOIUParticipating Frequently
asked in Searching & Analytics

Usage of computed fields into process functions

The following query put the result of processing function as “null” :| chart max(log_ts) as maxlogts  | process format_date(maxlogts,'YYYY/MM/dd') as endDate | fields maxlogts, endDate  I think the field “maxlogts” is not retrieved/recognized by function format_date().There is a way to obtain the field “endDate” not null ?

3
A
3 months ago
G
Gabriel LayanaNew Participant
asked in Use cases

How to configure AbuseIPDB instance in LogPoint SOAR

Hi everyone,I need to check some source addresses in my playbooks and I want to use AbuseIPDB for this action, but I can’t finish configuring AbuseIPDB instance and obtain some errors.  Could you help me with the correct configuration for this instance in SOAR LogPoint Playbook integrations?.  I have my api_key but I don’t know what is the correct base_url and threshold parameters if I need to review IP address. I hope your help Regards Gabriel

0
G
3 months ago
G
Gabriel LayanaNew Participant
asked in Technical FAQs

how to configure AbuseIPDB instance

Hi everyone, I need your help.  I need to check Public IP Address in my playbook to obtain some information about it.  I want to use AbuseIPDB but I’m obtaining error. Bad/missing Action inputs! Details: Bad rest-action url: base url/check I think the error is in my AbuseIPDB’s instance configuration.  What is the base_url and threshold that I have to configure?  I have my API Key ready. Thanks for your help. Regards, Gabriel

0
G
3 months ago
G
Gökhan GökNew Participant
asked in Searching & Analytics

several if-else

Hi everyone, i have a issue:I am writing a query. My query contains more than one if-else. However, because there are too many if-else, it does not return any result and gets stuck in “searching”. I wonder if there is a limit for else-if? If there is a small amount of else-if, it works, the query works, but if there is too much, unfortunately it doesn't work. I need help with this!!! since the values corresponding to each condition are different, I should use the else-if structure. I am open to different solution methods by the way.The query I wrote is as follows (here I just wanted to draw attention to the amount of else-if)I also get the following error: “No Response from server”alert=*| process eval("foo=if(alert=='xyz1') {return 1.2}else-if(alert=='xyz2') {return 1.0}else-if(alert=='xyz3') {return 1.21}else-if(alert=='xyz4') {return 1.2}else-if(alert=='xyz5') {return 1.29}else-if(alert=='xyz6') {return 1.25}else-if(alert=='xyz7') {return 1.29}else-if(alert=='xyz8') {return 1.200}el

3
G
4 months ago
G
Gökhan GökNew Participant
asked in Normalization & Parsing

Normalisation for Miliseconds

<123>2024-01-11T11:11:11.123Z hostnameI want to remove two fields from the above rohdaten using normalization, so to say. After normalization I should have the following fields:milliseconds=123log_ts=2024-01-11T11:11:11ZCan I do this in normalization (or signature)? If yes, can you write me the normalization/signature rule? This problem can be solved like this:| <<:int>><log_ts:datetime_m> <host:all>but I don't want that. I want to separate my fields at the beginning using normalization. 

0
G
4 months ago
M
Mike FurrerInspiring
asked in Configuration

Director Won´t let me Delete Device

Good Day EveryoneWhen trying to delete a device asset I get hit with this error “ Random hostname (Not the host name of the device I am trying to delete) does not appear to be an IPv4 or IPv6 network “And it won´t let me delete the device,I am not sure what to do about this, help would be greatly appreciated. 

1
HansHenrikMoerkholt
4 months ago
K
Kevin VillaltaNew Participant
asked in Configuration

How can I recover the pool configuration password?

Is there a way to get or change the configuration password for a Pool?

1
HansHenrikMoerkholt
4 months ago
M
Michael Schmidt JensenParticipating Frequently
asked in Searching & Analytics

Report

When I try to create a report it says “”Invalid number of fields used in process command, expected 7 field(s) but found 8” Why?

15
Nils Krumey
LogPoint Team
4 months ago
Rene Szeli
Rene SzeliNew Participant
asked in Operations Monitoring

Delete files in storage folder with bash command

Hi friends,I have the problem that the storage folder is now over 90% full.Now I wanted to empty the folder using bash commands directly in the disk notification and have applied the following to "Command:": find /opt/makalu/storage/ -type f -mtime +30 -deleteUnfortunately without success, the folder grows and grows. Do you have a tip or a solution for this?Thank you in advance and kind regards

12
Kai Gustafson
4 months ago
M
MicropoleKnown Participant
asked in Searching & Analytics

Alerts repetation

Hi,I would like to know if is it possible to receive one alert for the same action? For, example : for the following example if the same action is repeated several times I want to recive just one alert not more. action=Login source_address=1.1.1.1 user=titi | chart count() by user Is it possible ? If yes could you please tell me how do I do ? Best regards,SA

1
markus.nebel@8com.de
5 months ago
S
Stefano PrunottoNew Participant
asked in Design & Architecture

Logpoint 7.3.0 upgrade stalled

I have uploaded the logpoint 7.3.0 and 7.3.1 pak on logpoint server 7.2.4.I have started the 7.3.0 pak installation but after some hours is still in “installing” stateChecking the status I see that is blocked on SOAR Plugin upgrade …………………...Checking package status ...install; giving etc/, storage/ and var/ to loginspect only in changed filesinstall; removing old filesinstall; copying filesUpdate; updating plugins....Upgrading SOAR plugin I tried to install the 7.3.1 pak that fails because the 7.3.0 is not installed.I have restarted the server but nothing change.Could you please help me to understand the cause? 

4
markus.nebel@8com.de
5 months ago
M
MicropoleKnown Participant
asked in Searching & Analytics

use Joinner method in Templates

Hi,I Would like to use the joinner method in my template LogPoint. Whowever, I can’t use the “{{}}” for search parameter. Could you please tell me how should I do ? Here is an exemple of this tamplate :[ source_address=* display_name=* user=*] as s1 join [ user=* source_host=* source_address=*  ] as s2 on s1.user  = s2.user   {{source_host}} | rename  s2.source_host  as source_host  |  process geoip(s1.source_address) as country|  rename user as User |  chart count() by User, country, source_host   Note => I would like to search by this parameter {{source_host}} Thank you in advance.Siawash,

1
G
LogPoint Team
5 months ago
R
Ronny KempeNew Participant
asked in Normalization & Parsing

WIndows Logs

We would like to send log files from a directory such as C:\Logs to our logpoint server.What needs to be entered in nxlog.conf?

2
Kai Gustafson
5 months ago

Badge winners

Show all badges
Terms & ConditionsCookie settings