Hi Aleksta,
I belive this is how you can configure Stealthwatch to communicate.
- Log in to the Stealthwatch Management Console (SMC) as an administrator.
- In the menu bar, click Configuration > Response Management.
- From the Actions section in the Response Management menu, click Add > Syslog Message.
- In the Add Syslog Message Action window, configure the following parameters:
Parameter | Value |
Name | The name for the syslog message action. |
Enabled | This check box is enabled by default. |
IP Address | The IP address of the Logpoint. |
Port | The default port is port 514. |
Format | Select Syslog Formats. |
- Enter the following custom format:
LEEF:2.0|Lancope|Stealthwatch|6.8|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress ={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}
- Select the custom format from the list and click OK. Note: Use the Test button to send test message to Logpoint
- Click Response Management > Rules.
- Click Add and select Host Alarm.
- Provide a rule name in the Name field.
- Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.
If this doesnot work for you, you can create a support ticket so that Logpoint support engineer could assit you in a remote session.
Hi!
Thanks for your reply. I’m assuming that I’ve to modify the “custom format” with correct IP-adresses, dstPort and protocol.
How about the opportunities for LogPoint to receives NertFlows? Must an flow collector be set up or can an LogPoint appliance for example receive It directly without any additional configuration?
hi Aleksta,
I assume you mean Netflow not Nertflows. Here is the documentation link for intergating Netflow with Logpoint. Netflow support is available in LogPoint and requires the Netflow Application to be installed. Once it is installed, it is available as a Fetcher and can be applied to Devices and/or Policy. NetFlow needs to be enabled on the sending device and must send NetFlow on port 9001. This is usually a configurable option on the sending device.
LINK:
https://www.logpoint.com/en/blog/add-netflow-log-ingestion-to-logpoint/
You can try configuring this on your end. Feel free to reach out if you face issues with the intergations.
Regards,
Prabesh
Hi again!
Yes sorry, I mean NetFlows. Okey perfect, thanks for the answers about NetFlows.
Is It possible for Stealthwatch to “forward” Flows to LogPoint directly on port 9001? Or is It recommended to point out LogPoint as a destion of flows on the L3 devices directly?
Thanks!
Hi Aleksta,
We recommend to forward the Stealthwatch flows to the LP via the Syslog. However it is possible to define the flows of L3 devices to LP using Netflow collector application.But you would miss the additional analytics that would be provided by the stealthwatch and we have to build up our own custom analytics based on the netflow logs.
Regards,
Prabesh