Welcome to the SIEM community space! Post a question about anything related to SIEM and engage with fellow customers about all things SIEM.
Hi,I want to display all relevant information that is available for remote sessions per remote session. However this is contained in different logs that all have the same session_id. Suppose I gather those logs in a search via a single stream. For example like this:[3 user=”x*” type=login OR type=logoff OR type=authentication_try having same session_id] as Stream How can I access the individual logs included? For example| fields Stream.type, Stream.col_ts, Stream.user or| chart count() by Stream.user etc. doesn’t work. Just showing the fields without grouping of same session_id is not the solution, since I cannot order fields and all session_ids are mixed. Hope there’s a way. BestGeorg
Hi everyone, Here is a task that puzzles me: I am looking at events of remote connections and I want to display the connections that are currently active. One Connection has evetns like “login”, “authentication_try”, “session_closed”, etc. and the same session_id. The number of logs with the same session _id may vary, since, for example, there might be more than one authentication_try.So I would like to first group all events with the same session_id and then filter out those, that do not have a “session_closed” event.I tried to implement this with one or two streams (join) but did not come to a solution. With one stream I cannot give an exact number of logs “having same session_id”, with two streams I would need something like “[session_id=*] as first-streamjoin[session_id=*] as second-stream on first-stream.session_id=second-stream.session_id AND first-stream.log_ts!=second-stream.log_ts”. Also a “not followed by” could have been a solution for this, which does not exist. Does any
Hi all,i would like to send an email alert and choose the recipient depending on the triggered alert. For example, when a user changed his active directory password, i want to send him an email, telling that the password for his account was changed and if it was not himself he should contact directly the helpdesk.Bestedgar
HiWhat are your opinions on increasing the size of the syslog message.Increasing syslog message size will potentially have a negative impact on the performance in log collection, normalization and parsing.On the other hand it is important to be able to extract the necessary information from collected log messages, and some windows evenLog messages have increased over time.Take for example event ID 4662 ‘An operation was performed on an object’, it can exceed 34000 in message size.Another example is custom application logs, where developers might have another opinion, of what meaningful logs should contain.RegardsHans
Hi !Just a interesting question. I know that other SIEM vendors have problem with this. Maybe LogPoint have a good function for this. So I received a JSON-event that didn’t normalise, due to that no normalization-package was enabled. I enabled this after I received the event. So to my question. Is It possible to parse this event afterwards so that It gets normalized? Or do I have to wait for another event from the same logsource to see If this one gets normalized?
Hi,I have a distributed system with dedicated collectors. Now, during setup and configuring a few hundred linux servers via rsyslog to send their logs to one collector, the collector suddenly stopped pushing the data further to the data node. I’ve rebooted the collector, which resulted in temporary relief, however after roughly two hours, the problem resurfaced. Using tcpdump on the collector I can see logs streaming in from the log sources (tcp/514), and also on the data node I see openvpn-udp traffic comming in from the IP of the collector - not sure however if in latter I see only tunnel keepalive traffic, as the packages are very small 65-103 byte. I don’t have a clue on how to understand what is going on and where to look at - seems some resource problem to me, in terms of memory or cpu the system is well equipped and bored :-). The thing is, when doing a search over all repos with "collected_at"="myCollectorName" I don’t get any data at all. As if the thing would not exist.Do you
Hellowith the new Agent X, we were testing adding Devices with Agent X to logpoint, due to DHCP they will not always have the same IP address. We attempted to add this device via Hostname to logpoint, but even though the Agent X panel claims that it is active and collecting logs, When searching for said logs, I get no result for the Hostname.Is it Possible to use Hostnames to add Devices to logpoint in use with agent X?Or is it not possible.
Hi,I am reaching out to you regarding an issue I'm experiencing with the disk storage logs. It seems that for the past week, I have not been receiving any logs pertaining to disk storage. I would greatly appreciate it if you could kindly inform me about the possible reasons behind this. Thank you in advance.Siawash
I see that there are no Vendor Apps for Kubernetes, so normalization are maybee going to be written, but how do you get logs to Logpoint, are there a nativ way for this.I found that Auditing of logs are not default turned on, and if they are they only reside for 1 hour. Any one with some god advise in the matter ?Regards Kai
Dear fellow LogPoint users,I am wondering if there is the possibility to compare the results of a querry for different times in one plot? This would be very helpful to identify regularities/irregularities. For example, the number of logs received today over the number of logs received yesterday and the day before. Yes, I can create a dashbord and stack the corresponding widgets on top one another. However, it would be helpful to be able to directly compare the curves in one plot. Thanks in advanceGeorg
Dear fellow LogPoint users,I would like to plot a given quantity over time in search and in my dashboards. For example, the GBs of data transferred over time, or the values of a time table. To my understanding chart, as well as timechart does not allow this. These functions only aggregate the number of occurences within the given time-interval (like in a histogram). Is there a way to do this? Best regards,Georg
HelloOur company very recently configured a Logpoint for ourself and a Customer.the Customer asked for a alert rule, to Alert us and them, whenever someone Attempts to login with a Unknown username format. To see those attempts and see if someone accidentally typed their Password in the username Field. for this I created this rule (there is probably better ways to do this)-("source_address"="ip") -("source_address"="iü") -("user"="du*") -("user"="MINWINPC") -("user"="ch*") -("user"="firewall") -("user"="aa*") -("user"="da*") -("user"="nu*") -("user"="su*") -("user"="la*") -("user"="cba_anonymous") -("user"="ex*") "reason"="Unknown user name or bad password." "event_category"="Logon" device_ip=ip or device_ip=ip The Rule ended up being pretty long, but it mostly works.The mostly being that it generates a lot of noise, because there is a lot of Alerts with user Null, so empty, these alerts seem to come from the DC itself.And I am trying to Exclude null from the search.I tried.-(“u
Hi folks,Just a quick question - I was wondering what the available libraries are when using a Python script? Is it just the ‘core’ or ‘standard’ Python libraries available, or is it possible to use third-party ones. I’m assuming that LogPoint doesn’t automatically fetch libraries if you put the import statements in. In which case, is there any way around this (allowing for pip installs) or would we need to create a separate Python application outside of LogPoint and interface with that (either via API or some other means)?
Hi!I’m curious into how to collect logs from SCCM. Logs related to endpoint protection, virus alarms, quarantind threats etc.Found out that nxlog provides a configuration file for this. Missing some fields in the configuration file, example <Output out_syslog>. To point out the syslog dst. Microsoft System Center Configuration Manager :: NXLog DocumentationHas anyone any experience about this?Thankful for replies.
Hi!Is there anyone in this community thas has some knowledge about the recently malware backdoors on Microsoft Exchange servers?I would like to investigate this further and do some threat hunting. Does anyone here has some threat hunting querys in LogPoint?
Hi All,We are excited to share the release of the new Universal REST API Fetcher. The Universal REST API fetcher provides a generic interface to fetch logs from cloud sources via REST APIs. The cloud sources can have multiple endpoints, and every configured source consumes one device license.For more details, please see the links below:Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/6047943636253-Universal-REST-API-FetcherDocumentation: https://docs.logpoint.com/docs/universal-rest-api/en/latest/
Hi!Been struggling with the normalization of Cisco Firepower logs, were I expect better normalization and a better enrichment. The syslog is configured from the Firepower Management Center.Everything should be correct in LogPoint were we’ve put in all the normalization policys for the log source. Compiled Normalizer:- Cisco FirepowerNormalizer- CiscoPIXASACompiledNormalizerNormalization Packages:- LP_Cisco Firepower- LP_Cisco Fiirepower Management Center- LP_Cisco Fiirepower Management Center v6_2- LP_Cisco PIX/ASA Generic- LP_Cisco PIXASAIs there any problem with the format syslog? Had the same issue with CheckPoint FW, but this got solved when we changed the format to CEF. Only the problem that Cisco Firepower only support the format syslog.Is there someone that has any tips on how to move on forward with this?
The 7.2.0 version is out. Read about it here: https://servicedesk.logpoint.com/hc/en-us/articles/10065818192669-Logpoint-v7-2-0.During April, Logpoint will host a Webinar giving more insights into the new features. Look for it in your e-mail inbox or here on the Community/ Brian Hansen, Logpoint
Hi!I’m wondering If It’s possible to configure Stealthwatch to communicate with LogPoint. I want Stealthwatch to forward events, even better If It also can forward flows to the SIEM.Is this possbile?All I can find regarding this is the integration with LogPoints SOAR to configure different types of actions.Adding the Vendors — Cisco Secure Network Analytics (Stealthwatch) SOAR Integration latest documentation (logpoint.com)
Already have an account? Login
Login to the community
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.LOGIN AS PARTNER OR CUSTOMER Login with LinkedIn
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.