Energy Logserver 7.x User Guide¶
- About
- Installation
- System Requirements
- Installation method
- Interactive installation using “install.sh”
- Non-interactive installation mode using “install.sh”
- Check cluster/indices status and Elasticsearch version
- Generating basic system information report
- “install.sh” command list
- Post installation steps
- Scheduling bad IP lists update
- Web Application Firewall requriments
- Docker support
- Custom path installation the Energy Logserver
- ROOTless setup
- Configuration
- Changing default users for services
- Plugins Management
- Transport layer encryption
- Offline TLS Tool
- Browser layer encryption
- Building a cluster
- Disk-based shard allocation
- Authentication with Active Directory
- Authentication with Radius
- Authentication with LDAP
- Configuring Single Sign On (SSO)
- Default home page
- Configure email delivery
- Custom notification on the workstation
- Agents module
- Kafka
- Kafka encryption
- Event Collector
- Cerebro Configuration
- Field level security
- Default Language
- Upgrades
- Upgrade from version 7.5.0
- Upgrade from version 7.4.3
- Upgrade from version 7.4.2
- Upgrade from version 7.4.1
- Upgrade from version 7.4.0
- Upgrade from version 7.3.0
- Upgrade from version 7.2.0
- Upgrade from version 7.1.3
- Upgrade from version 7.1.0
- Upgrade from version 7.0.6
- Upgrade from version 7.0.5
- Upgrade from version 7.0.4
- Upgrade from version 7.0.3
- Upgrade from version 7.0.2
- Upgrade from version 7.0.1
- Upgrade from 6.x
- Downgrade
- Changing OpenJDK version
- User Manual
- Introduction
- Data source
- System services
- First login
- Index selection
- Discovery
- Visualizations
- Dashboards
- Reports
- User roles and object management
- Users, roles, and settings
- Creating a User (Create User)
- User’s modification and deletion, (User List)
- Create, modify, and delete a role (Create Role), (Role List)
- Default user and passwords
- Changing the password for the system account with password utility
- Module Access
- Manage API keys
- Separate data from one index to different user groups
- Settings
- Backup/Restore
- Audit actions
- Index management
- Task Management
- Archive
- E-doc
- CMDB
- Cerebro - Cluster Health
- Elasticdump
- Curator - Elasticsearch index management tool
- Cross-cluster Search
- Sync/Copy
- XLSX Import
- Logtrail
- Logstash
- Logstash - Input “beats”
- Getting data from share folder
- Logstash - Input “network”
- Logstash - Input SNMP
- Logstash - Input HTTP / HTTPS
- Logstash - Input Relp
- Logstash - Input Kafka
- Logstash - Input File
- Logstash - Input database
- Logstash - Input CEF
- Logstash - Input OPSEC
- Build FW1-LogGrabber
- Download dependencies
- Compile source code
- Install FW1-LogGrabber
- Set environment variables
- Configuration files
- lea.conf file
- fw1-loggrabber.conf file
- Command line options
- Help
- Debug level
- Location of configuration files
- Remote log files
- Name resolving behaviour
- Checkpoint firewall version
- Online and Online-Resume modes
- Audit and normal logs
- Filtering
- Supported filter arguments
- Example filters
- Checkpoint device configuration
- FW1-LogGrabber configuration
- Authenticated SSL OPSEC connections
- Checkpoint device configuration
- FW1-LogGrabber configuration
- Authenticated OPSEC connections
- Checkpoint device configuration
- FW1-LogGrabber configuration
- Unauthenticated connections
- Checkpoint device configuration
- FW1-LogGrabber configuration
- Logstash - Input SDEE
- Logstash - Input XML
- Logstash - Input WMI
- Logstash - Filter “beats syslog”
- Logstash - Filter “network”
- Logstash - Filter “geoip”
- Logstash - avoiding duplicate documents
- Logstash data enrichment
- Logstash - Output to Elasticsearch
- Logstash plugin for “naemon beat”
- Logstash plugin for “perflog”
- Logstash plugin for LDAP data enrichement
- Single password in all Logstash outputs
- Multiline codec
- SQL
- SIEM Examples
- Example 1: Check number of failed login attemps
- Example 2: Gather host data from different sources in one place using JOIN
- Example 3: See MAC addresses and their assigned IP addresses:
- Example 4: Check total number of warnings from syslog:
- Example 5: Check number of failed login attemps for every client:
- SQL/PPL API
- Response formats
- SQL
- PPL - Piped Processing Language
- Identifiers
- Data types
- Functions
- Full-text search
- SIEM Examples
- Automation
- Cooperation of logserver and antivirus program
- SIEM Plan
- Alert Module
- Enabling the Alert Module
- SMTP server configuration
- Creating Alerts
- Alerts status
- Alert Types
- Alert Methods
- Escalate
- Recovery
- Aggregation
- Alert Content
- Example of rules
- Playbooks
- Risks
- Incidents
- Indicators of compromise (IoC)
- Calendar function
- Windows Events ID repository
- Security rules
- Cluster Health rules
- MS Windows SIEM rules
- Network Switch SIEM rules
- Cisco ASA devices SIEM rules
- Linux Mail SIEM rules
- Linux DNS Bind SIEM Rules
- Fortigate Devices SIEM rules
- Linux Apache SIEM rules
- RedHat / CentOS system SIEM rules
- Checkpoint devices SIEM rules
- Cisco ESA devices SIEM rule
- Forcepoint devices SIEM rules
- Oracle Database Engine SIEM rules
- Paloalto devices SIEM rules
- Microsoft Exchange SIEM rules
- Juniper Devices SIEM Rules
- Fudo SIEM Rules
- Squid SIEM Rules
- McAfee SIEM Rules
- Microsoft DNS Server SIEM Rules
- Microsoft DHCP SIEM Rules
- Linux DHCP Server SIEM Rules
- Cisco VPN devices SIEM Rules
- Netflow SIEM Rules
- MikroTik devices SIEM Rules
- Microsoft SQL Server SIEM Rules
- Postgress SQL SIEM Rules
- MySQL SIEM Rules
- Incident detection and mitigation time
- Adding a tag to an existing alert
- Siem Module
- Tenable.sc
- Qualys Guard
- UEBA
- BCM Remedy
- SIEM Virtus Total integration
- SIEM Custom integration
- License Service
- Alert Module
- Empowered AI
- Table of Contents
- AI Rules
- Common Elements
- Univariate Anomaly Detection
- Performance Tab for Univariate Anomaly Detection
- Multivariate Anomaly Detection
- Performance Tab for Multivariate Anomaly Detection
- Clustering
- Performance Tab for Clustering
- Forecasting
- Performance Tab for Forecasting
- Text Anomaly Detection
- Performance Tab for Text Anomaly Detection
- Conclusion
- Default AI Rules
- FAQ
- Troubleshooting
- API
- Connecting to API
- Dashboards API
- Elasticsearch API
- Elasticsearch Index API
- Elasticsearch Document API
- Elasticsearch Cluster API
- Elasticsearch Search API
- Elasticsearch - Mapping, Fielddata and Templates
- AI Module API
- Alert module API
- Reports module API
- License module API
- Role Mapping API
- User Module API
- User Password API
- Integrations
- OP5 - Naemon logs
- OP5 - Performance data
- OP5 Beat
- The Grafana instalation
- The Beats configuration
- Wazuh integration
- 2FA authorization with Google Auth Provider (example)
- Software used (tested versions):
- The NGiNX configuration:
- The oauth2 proxy configuration:
- Service start up
- Backup templates to a file
- Import templates into ES
- Split files into multiple parts
- Import data from S3 into ES (using s3urls)
- Export ES data to S3 (using s3urls)
- Import data from MINIO (s3 compatible) into ES (using s3urls)
- Export ES data to MINIO (s3 compatible) (using s3urls)
- Import data from CSV file into ES (using csvurls)
- Copy a single index from a elasticsearch:
- 2FA with Nginx and PKI certificate
- Seting up Nginx Client-Certificate for Kibana
- 1. Installing NGINX
- 2. Creating client-certificate signing CA
- 3. Creating a client keypair
- 4. Creating the nginx configuration file
- 5. Setting configurations in configuration file paste
- 6. Create a symlink to enable your site in nginx
- 7. Restart nginx
- 8. Importing the Client Certificate on to a Windows Machine
- Seting up Nginx Client-Certificate for Kibana
- Embedding dashboard in iframe
- Integration with AWS service
- The scope of integration
- Data download mechanism
- AWS Cost & Usage Report
- Cloud Trail
- Configuration
- Integration with Azure / o365
- Google Cloud Platform
- F5
- Aruba Devices
- Sophos Central
- FreeRadius
- Microsoft Advanced Threat Analytics
- CheckPoint Firewalls
- WAF F5 Networks Big-IP
- Infoblox DNS Firewall
- CISCO Devices
- Microsoft Windows Systems
- Linux Systems
- AIX Systems
- Microsoft Windows DNS, DHCP Service
- Microsoft IIS Service
- Apache Service
- Microsoft Exchange
- Microsoft AD, Radius, Network Policy Server
- Microsoft MS SQL Server
- MySQL Server
- Oracle Database Server
- Postgres Database Server
- VMware Platform
- VMware Connector
- Network Flows
- Citrix XenApp and XenDesktop
- Sumologic Cloud SOAR
- Microsfort System Center Operations Manager
- JBoss
- Energy Security Feeds