Energy Logserver 7.x User Guide

• About
• Installation
  • System Requirements
  • Installation method
    • Interactive installation using “install.sh”
    • Non-interactive installation mode using “install.sh”
    • Check cluster/indices status and Elasticsearch version
    • Generating basic system information report
    • “install.sh” command list
    • Post installation steps
    • Scheduling bad IP lists update
    • Web Application Firewall requriments
  • Docker support
  • Custom path installation the Energy Logserver
  • ROOTless setup

• Configuration
  • Changing default users for services
    • Change Kibana User
    • Change Elasticsearch User
    • Change Logstash User
  • Plugins management
    • Installing Plugins
    • Listing plugins
    • Removing plugins
    • Updating plugins
  • Transport layer encryption
    • Generating Certificates
      • Setting up configuration files
      • Logstash/Beats
  • Browser layer encryption
    • Configuration steps
  • Building a cluster
    • Node roles
    • Naming convention
    • Config files
    • Example setup
    • Adding a new node to existing cluster
  • Authentication with Active Directory
    • Configure SSL support for AD authentication
    • Role mapping
    • Password encryption
  • Authentication with Radius
    • Configuration
  • Authentication with LDAP
    • Configuration
  • Configuring Single Sign On (SSO)
    • Configuration steps
    • Client (Browser) Configuration
      • Internet Explorer configuration
      • Chrome configuration
      • Firefox configuration
  • Default home page
  • Configure email delivery
    • Configure email delivery for sending PDF reports in Scheduler
    • Basic postfix configuration
    • Example of postfix configuration with SSL encryption enabled
  • Custom notification on workstation
  • Agents module
    • Preparations
    • Installation of MasterAgent - Server Side
    • Installation of Agent - Client Side
      • Linux
      • Windows
    • Beats - configuration templates
    • Agent module compatibility
    • Windows - Beats agents installation
      • Winlogbeat
        • Installation
        • Configuration
        • Drop event
          • equals
          • contains
          • regexp
          • range
          • network
          • has_fields
          • or
          • and
          • not
        • Internal queue
      • Filebeat
        • Installation
        • Configuration
      • Metricbeat
        • Installation
        • Configuration
      • Packetbeat
        • Installation
        • Configuration
    • Linux - Beats agents installation
      • Filebeat
        • Installation
        • Configuration
      • Metricbeat
        • Installation
        • Configuration
      • Packetbeat
        • Installation
        • Configuration
  • Kafka
    • The Kafka installation
  • Kafka encryption
    • Configuring Kafka Brokers
    • Configuring Kafka Clients
    • Log retention for Kafka topic
  • Event Collector
    • Configuration steps
      • Installation of Event Collector
      • Generate certificate
      • Event Collector Configuration
      • Install dependencies
      • Running Event Collector service
      • Windows host configuration
      • Logstash pipeline configuration
      • Enabling Logstash pipeline
      • Elasticsearch template
      • Building the subscription filter
  • Cerebro Configuration
  • Field level security
  • Default Language
    • Changing default language for GUI
    • Preparing translation for GUI
      • Bullet points for translations
      • FAQ
      • Known issues

• Upgrades
  • Upgrade from version 7.3.0
    • Breaking and major changes
    • Preferred Upgrade steps
    • Required post upgrade from version 7.3.0
  • Upgrade from version 7.2.0
    • Preferred Upgrade steps
    • Required post upgrade
  • Upgrade from version 7.1.3
    • Breaking and major changes
    • Preferred Upgrade steps
    • Required post upgrade
    • Required post upgrade from version 7.1.3
  • Upgrade from version 7.1.0
    • Preferred Upgrade steps
    • Required post upgrade
  • Upgrade from version 7.0.6
    • Breaking and major changes
    • Preferred Upgrade steps
      • Required post upgrade
  • Upgrade from version 7.0.5
    • General note
    • Preferred Upgrade steps
    • Alternative Upgrade steps (without install.sh script)
  • Upgrade from version 7.0.4
    • General note
    • Preferred Upgrade steps
    • Alternative Upgrade steps (without install.sh script)
  • Upgrade from version 7.0.3
    • General note
    • Upgrade steps
  • Upgrade from version 7.0.2
    • General note
    • Upgrade steps
  • Upgrade from version 7.0.1
    • General note
    • Upgrade steps
  • Upgrade from 6.x
    • Pre-upgrade steps for data node
    • Upgrade Energy Logserver Data Node
    • Post-upgrade steps for data node
    • Upgrade Energy Logserver Client Node
  • Downgrade
  • Changing OpenJDK version
    • Logstash
    • Elasticsearch

• User Manual
  • Introduction
    • Elasticsearch
    • Kibana
    • Logstash
    • ELK
  • Data source
  • System services
  • First login
  • Index selection
    • Index rollover
  • Discovery
    • Time settings and refresh
    • Fields
    • Filtering and syntax building
      • Syntax
      • Filters
      • Operators
      • Wildcards
      • Regular expressions
      • Fuzziness
      • Proximity searches
      • Ranges
    • Saving and deleting queries
      • Save query
      • Open query
      • Delete query
    • Manual incident
    • Change the default width of columns
  • Visualizations
    • Creating visualization
      • Create
      • Load
    • Vizualization types
    • Edit visualization and saving
      • Edititing
      • Saving
      • Load
  • Dashboards
    • Create
    • Saving
    • Load
    • Sharing dashboards
    • Dashboard drilldown
    • Sound notification
  • Reports
    • CSV Report
    • PDF Report
    • PDF report from the table visualization
    • Scheduler Report (Schedule Export Dashboard)
  • User roles and object management
    • Users, roles and settings
    • Creating a User (Create User)
      • Creating user
    • User’s modification and deletion, (User List)
    • Create, modify and delete a role (Create Role), (Role List)
    • Default user and passwords
    • Changing password for the system account
    • Module Access
    • Manage API keys
    • Separate data from one index to different user groups
  • Settings
    • General Settings
    • License (License Info)
      • Renew license
    • Special accounts
  • Backup/Restore
    • Backing up
    • Restoration from backup
  • Index management
    • Close action
    • Delete action
    • Force Merge action
    • Shrink action
    • Rollover action
    • Custom action
      • Open index
      • Replica reduce
      • Index allocation
      • Cluster routing
    • Preinstalled actions
      • Close-Daily
      • Close-Monthly
      • Disable-Refresh-Older-Than-Days
      • Disable-Refresh-Older-Than-Month
      • Force-Merge-Older-Than-Days
      • Force-Merge-Older-Than-Months
      • Logtrail-default-delete
      • Logtrail-default-rollover
  • Intelligence Module
    • The fixed part of the screen
    • Screen content for regressive algorithms
    • Screen content for the Trend algorithm
    • Screen content for the neural network (MLP) algorithm
    • AI Rules List
    • AI Learn
    • AI Learn Tasks
    • Scenarios of using algorithms implemented in the Intelligence module
      • Teaching MLP networks and choosing the algorithm to use:
      • Starting the MLP network algorithm:
      • Starting regression algorithm:
      • Management of available rules:
    • Permission
    • Register new algorithm
  • Archive
    • Configuration
      • Enabling module
    • Archive Task
      • Create Archive task
      • Task List
    • Archive Search
      • Create Search task
      • Task list
    • Archive Upload
      • Create Upload task
      • Task List
    • Command Line tools
      • zstd
      • zstdcat
      • zstdgrep
      • zstdless
      • zstdmt
  • E-doc
    • Login to E-doc
    • Creating a public site
    • Creating a site with the permissions of a given group
    • Content management
      • Text formatting features
      • Insert Links
      • Insert images
    • Create a “tree” of documents
    • Embed allow iframes
    • Conver Pages
  • CMDB
    • Infrastructure tab
    • Relations Tab
    • Integration with network_visualization
  • Cerebro - Cluster Health
  • Elasticdump
    • Location
    • Examples of use
      • Copy an index from production to staging with analyzer and mapping
      • Backup index data to a file:
      • Backup and index to a gzip using stdout
      • Backup the results of a query to a file
      • Copy a single shard data
      • Backup aliases to a file
    • Usage
    • All parameters
    • Elasticsearch’s Scroll API
    • Bypassing self-sign certificate errors
    • An alternative method of passing environment variables before execution
  • Curator - Elasticsearch index management tool
    • Curator installation
    • Curator configuration
    • Running Curator
    • Sample configuration file
    • Sample action file
  • Cross-cluster Search
    • Configuration
    • Security
  • Sync/Copy
    • Configuration
    • Synchronize data
    • Copy data
    • Running Sync/Copy
  • XLSX Import
    • Importing steps
  • Logtrail
    • Configuration
    • Logstash configuration
    • Kibana configuration
    • Using Logtrail
  • Logstash
    • Logstash - Input “beats”
    • Getting data from share folder
      • Input - FTP server
      • Input - SFTP server
      • Input - SMB/CIFS server
    • Logstash - Input “network”
    • Logstash - Input SNMP
    • Logstash - Input HTTP / HTTPS
    • Logstash - Input Relp
      • Installation
      • Description
      • Relp input configuration options
    • Logstash - Input Kafka
    • Logstash - Input File
    • Logstash - Input database
      • Logasth input - MySQL
      • Logasth input - MSSQL
      • Logstash input - Oracle
      • Logstash input - PostgreSQL
    • Logstash - Input CEF
    • Logstash - Input OPSEC
      • Build FW1-LogGrabber
      • Download dependencies
      • Compile source code
      • Install FW1-LogGrabber
      • Set environment variables
      • Configuration files
      • lea.conf file
        • fw1-loggrabber.conf file
      • Command line options
      • Help
      • Debug level
      • Location of configuration files
      • Remote log files
      • Name resolving behaviour
      • Checkpoint firewall version
      • Online and Online-Resume modes
      • Audit and normal logs
      • Filtering
        • Supported filter arguments
        • Example filters
      • Checkpoint device configuration
      • FW1-LogGrabber configuration
      • Authenticated SSL OPSEC connections
        • Checkpoint device configuration
        • FW1-LogGrabber configuration
      • Authenticated OPSEC connections
        • Checkpoint device configuration
        • FW1-LogGrabber configuration
      • Unauthenticated connections
        • Checkpoint device configuration
        • FW1-LogGrabber configuration
    • Logstash - Input SDEE
      • Download
      • Installation
      • Configuration
    • Logstash - Input XML
    • Logstash - Input WMI
      • Installation
      • Configuration
    • Logstash - Filter “beats syslog”
    • Logstash - Filter “network”
    • Logstash - Filter “geoip”
    • Logstash - avoiding duplicate documents
    • Logstash data enrichment
      • Filter jdbc
      • Filter logstash-filter-ldap
      • Download and installation
      • Configuration
        • Input event
        • Logstash filter
        • Output event
      • Parameters availables
      • Buffer
      • Memory Buffer
      • Persistant cache buffer
      • Filter translate
      • External API
      • Mathematical calculations
    • Logstash - Output to Elasticsearch
    • Logstash plugin for “naemon beat”
    • Logstash plugin for “perflog”
    • Logstash plugin for LDAP data enrichement
    • Single password in all Logstash outputs
    • Multiline codec
  • Join
    • Query Syntax
      • Simple query
      • Complex query
    • Filter interface
    • Scroll interface
    • Examples
      • Example 1
      • Example 2
      • Example 3
      • Example 4 - correlation (httpd and winlogbeat)
      • Example 5 - correlation (dhcpd and winlogbeat)
  • Automation
    • Connection
      • Example
    • Automations List
    • Credentials
    • Executions
    • Node
      • Core nodes
      • Regular nodes
        • Example
      • Trigger nodes
      • Node settings
        • Operations
        • Parameters
        • Settings
    • How to filter events
      • Example If usage
      • Example Case usage
      • IF
        • Node Reference
      • Switch
        • Node Reference
      • Spreadsheet File
        • Basic Operations
        • Node Reference
    • Automation integration nodes

• Log Management Plan
  • Main Features
  • Pipelines
  • Dashboards

• SIEM Plan
  • Alert Module
    • Enabling the Alert Module
    • SMTP server configuration
    • Creating Alerts
    • Alerts status
    • Alert Types
      • Any
      • Blacklist
      • Whitelist
      • Change
      • Frequency
      • Spike
      • Flatline
      • New Term
      • Cardinality
      • Metric Aggregation
      • Percentage Match
      • Unique Long Term
      • Find Match
      • Consecutive Growth
      • Logical
      • Chain
      • Difference
    • Alert Methods
      • Email
      • User
      • Command
      • The Hive
      • RSA Archer
      • Jira
      • WebHook Connector
      • Slack
      • ServiceNow
      • EnergySoar
    • Escalate
    • Recovery
    • Aggregation
    • Alert Content
    • Example of rules
      • Unix - Authentication Fail
      • Windows - Firewall disable or modify
    • Playbooks
      • Create Playbook
      • Playbooks list
      • Linking Playbooks with alert rule
      • Playbook verification
    • Risks
      • Create category
      • Category list
      • Create risk
      • List risk
      • Linking risk with alert rule
      • Risk calculation algorithms
      • Adding a new risk calculation algorithm
      • Using the new algorithm
      • Additional modification of the algorithm (weight)
    • Incidents
      • Incident Escalation
      • Context menu for Alerts::Incidents
        • Important file paths
        • List element template
        • Action function template
        • Steps to add the first custom action to the codebase
        • Steps to add a second and subsequent custom actions
        • System update
    • Indicators of compromise (IoC)
      • Configuration
        • Bad IP list update
        • Scheduling bad IP lists update
    • Calendar function
      • Create a calendar
    • Windows Events ID repository
      • Netflow analyzis
      • Installation
        • Install/update logstash codec plugins for netflox and sflow
      • Configuration
        • Enable Logstash pipeline
        • Elasticsearch template installation
        • Importing Kibana dashboards
        • Enable reverse dns lookup
    • Security rules
      • Cluster Health rules
      • MS Windows SIEM rules
      • Network Switch SIEM rules
      • Cisco ASA devices SIEM rules
      • Linux Mail SIEM rules
      • Linux DNS Bind SIEM Rules
      • Fortigate Devices SIEM rules
      • Linux Apache SIEM rules
      • RedHat / CentOS system SIEM rules
      • Checkpoint devices SIEM rules
      • Cisco ESA devices SIEM rule
      • Forcepoint devices SIEM rules
      • Oracle Database Engine SIEM rules
      • Paloalto devices SIEM rules
      • Microsoft Exchange SIEM rules
      • Juniper Devices SIEM Rules
      • Fudo SIEM Rules
      • Squid SIEM Rules
      • McAfee SIEM Rules
      • Microsoft DNS Server SIEM Rules
      • Microsoft DHCP SIEM Rules
      • Linux DHCP Server SIEM Rules
      • Cisco VPN devices SIEM Rules
      • Netflow SIEM Rules
      • MikroTik devices SIEM Rules
      • Microsoft SQL Server SIEM Rules
      • Postgress SQL SIEM Rules
      • MySQL SIEM Rules
    • Incident detection and mitigation time
    • Adding a tag to an existing alert
  • Siem Module
    • Active response
    • Log data collection
      • How it works
      • How to collect Windows logs
      • Configuration
    • File integrity monitoring
      • How it works
      • Configuration
    • Active response
      • How it works
      • Default Active response scripts
      • Configuration
    • Vulnerability detection
      • How it works
      • Running a vulnerability scan
  • Tenable.sc
    • Configuration
  • Qualys Guard
    • Configuration
  • UEBA
  • BCM Remedy
  • SIEM Virtus Total integration
    • Configuration
  • SIEM Custom integration
  • License Service

• Troubleshooting
  • Recovery default base indexes
  • Too many open files
  • The Kibana status code 500
  • Diagnostic tool
    • Running the diagnostic tool
  • Verification steps and logs
    • Verification of Elasticsearch service
    • Verification of Logstash service
    • Debugging
    • Verification of Energy Logserver GUI service
  • SIEM PLAN - Windows CP1250 decoding problem

• Monitoring
  • About Skimmer
  • Skimmer Installation
  • Skimmer service configuration
    • Skimmer GUI configuration
    • Skimmer dashboard
    • Expected Data Nodes

• API
  • Connecting to API
  • Kibana API
    • Kibana Import API
    • Kibana Export API
  • Elasticsearch API
  • Elasticsearch Index API
    • Adding Index
    • Delete Index
    • API useful commands
  • Elasticsearch Document API
    • Create Document
    • Delete Document
    • Useful commands
  • Elasticsearch Cluster API
    • Useful commands
  • Elasticsearch Search API
    • Useful commands
  • Elasticsearch - Mapping, Fielddata and Templates
    • Useful commands
    • Create - Mapping / Fielddata
    • Create Template
    • Delete Mapping
    • Delete Template
  • AI Module API
    • Services
    • List rules
    • Show rules
    • Create rules
    • Update rules
    • Delete rules
  • Alert module API
    • Create Alert Rule
    • Save Alert Rules
  • Reports module API
    • Create new task
    • Checking the status of the task
    • Downloading results
  • License module API
    • Reload License API
  • Role Mapping API
  • User Module API
  • User Password API

• Integrations
  • OP5 - Naemon logs
    • Logstash
    • Elasticsearch
    • Energy Logserver Monitor
    • Elasticsearch
  • OP5 - Performance data
    • Elasticsearch
    • Logstash
    • Energy Logserver Monitor
    • Kibana
  • OP5 Beat
    • Installation for Centos7 and newer
    • Installation for Centos6 and older
  • The Grafana instalation
  • The Beats configuration
    • Kibana API
  • Wazuh integration
    • Deploying Wazuh Server
    • Deploing Wazuh Agent
    • Filebeat configuration
  • 2FA authorization with Google Auth Provider (example)
    • Software used (tested versions):
    • The NGiNX configuration:
    • The oauth2_proxy configuration:
    • Service start up
      • Backup templates to a file
      • Import templates into ES
      • Split files into multiple parts
      • Import data from S3 into ES (using s3urls)
      • Export ES data to S3 (using s3urls)
      • Import data from MINIO (s3 compatible) into ES (using s3urls)
      • Export ES data to MINIO (s3 compatible) (using s3urls)
      • Import data from CSV file into ES (using csvurls)
      • Copy a single index from a elasticsearch:
  • 2FA with Nginx and PKI certificate
    • Seting up Nginx Client-Certificate for Kibana
      • 1. Installing NGINX
      • 2. Creating client-certificate signing CA
      • 3. Creating a client keypair
      • 4. Creating the nginx configuration file
      • 5. Setting configurations in configuration file paste
      • 6. Create a symlink to enable your site in nginx
      • 7. Restart nginx
      • 8. Importing the Client Certificate on to a Windows Machine
  • Embedding dashboard in iframe
  • Integration with AWS service
    • The scope of integration
    • Data download mechanism
    • AWS Cost & Usage Report
    • Cloud Trail
    • Configuration
      • Configuration of access to the AWS account
      • Configuration of AWS profiles
      • Configure S3 buckets scanning
      • Configuration of AWS Cost & Usage reports
      • Logstash Pipelines
      • Configuration of AWS permissions and access
      • Data indexing
      • Dashboards
        • Overview
        • EC2
        • RDS
        • AMI
        • Security
        • Snapshots
        • Backups
        • CloudTrail
        • IAM
        • Gateways
  • Integration with Azure / o365
    • Introduction
    • Scope of Integration
    • System components
      • Logstash
      • Kafka
      • Energy Logserver Data
      • Energy Logserver GUI
    • Data sources
      • Azure Monitor datasource configuration
      • Azure Insights datasource configuration
    • Azure Command-Line Interface
      • Permission
    • Service selection
      • Azure Monitor metrics
      • Azure Application Insights metrics
    • Energy Logserver GUI
      • Metrics
      • Events
  • Google Cloud Platform
  • F5
  • Aruba Devices
  • Sophos Central
  • FreeRadius
  • Microsoft Advanced Threat Analytics
  • CheckPoint Firewalls
  • WAF F5 Networks Big-IP
  • Infoblox DNS Firewall
  • CISCO Devices
  • Microsoft Windows Systems
  • Linux Systems
  • AIX Systems
  • Microsoft Windows DNS, DHCP Service
  • Microsoft IIS Service
  • Apache Service
  • Microsoft Exchange
    • Microsoft Exchange message tracking
  • Microsoft AD, Radius, Network Policy Server
  • Microsoft MS SQL Server
  • MySQL Server
  • Oracle Database Server
  • Postgres Database Server
  • VMware Platform
  • VMware Connector
  • Network Flows
  • Citrix XenApp and XenDesktop
  • Sumologic Cloud SOAR
  • Microsfort System Center Operations Manager
  • JBoss
  • Energy Security Feeds
    • Configuration
      • Bad IP list update
      • Scheduling bad IP lists update

• CHANGELOG
  • v7.4.0
    • Upgrades
    • NewFeatures
    • Improvements
    • BugFixes
  • v7.3.0
    • NewFeatures
    • Improvements
    • BugFixes
    • Integrations
    • SIEM Plan
    • Network-Probe
    • Security related
    • Required post upgrade
  • v7.2.0
    • Breaking changes
    • NewFeatures
    • Improvements
    • BugFixes
    • Integrations
    • SIEM Plan
    • Network-Probe
    • Security related
    • Required post upgrade
  • v7.1.3
    • Security related
  • v7.1.2
    • NewFeatures
    • Improvements
    • BugFixes
    • Integrations
    • SIEM Plan
    • Required post upgrade
  • v7.1.1
    • NewFeatures
    • Improvements
    • BugFixes
    • Integrations
    • SIEM Plan
    • Security related
  • v7.1.0
    • NewFeatures
    • Improvements
    • BugFixes
    • Integrations
    • SIEM Plan
    • Network-Probe
    • API Changes
    • Breaking changes
    • Required post upgrade
  • v7.0.6
    • NewFeatures
    • Improvements
    • BugFixes
  • v7.0.5
    • NewFeatures
    • Improvements
    • BugFixes
  • v7.0.4
    • NewFeatures
    • Improvements
    • BugFixes
  • v7.0.3
    • New Features
    • Improvements
    • BugFixes
  • v7.0.2
    • New Features
    • Improvements
    • BugFixes
  • v7.0.1