Energy Logserver 7.x User Guide

• About
• Introduction
  • Elasticsearch
  • Kibana
  • Logstash
  • ELK

• Data source and application management
  • Data source
  • System services
  • First configuration steps
    • System Requirements
    • Run the instalation
      • Installation using the RPM package
      • Interactive installation using “install.sh”
      • Non-interactive installation mode using “install.sh”
        • Generating basic system information report
      • “install.sh” command list:
      • Post installation steps
      • Scheduling bad IP lists update
  • First login
  • Index selection
  • Changing default users for services
    • Change Kibana User
    • Change Elasticsearch User
    • Change Logstash User
  • Custom installation the Energy Logserver
  • Plugins management in the Elasticsearch
    • Installing Plugins
    • Listing plugins
    • Removing plugins
    • Updating plugins
  • ROOTless management
  • Energy Logserver Elasticsearch encryption
    • Generating Certificates
    • Setting up configuration files
  • Transport layer encryption
  • HTTP layer encryption
    • Logstash/Beats
  • Browser layer encryption
    • Configuration steps
  • Index rollover
  • Default home page

• Discovery
  • Time settings and refresh
  • Fields
  • Filtering and syntax building
    • Syntax
    • Filters
    • Operators
  • Saving and deleting queries
    • Save query
    • Open query
    • Delete query
  • Manual incident
  • Change the default width of columns

• Visualizations
  • Creating visualization
    • Create
    • Load
  • Vizualization types
  • Edit visualization and saving
    • Edititing
    • Saving
    • Load
  • Dashboards
    • Create
    • Saving
    • Load
  • Sharing dashboards
  • Dashboard drilldown
  • Sound notification

• Reports
  • CSV Report
  • PDF Report
  • Scheduler Report (Schedule Export Dashboard)

• User roles and object management
  • Users, roles and settings
  • Creating a User (Create User)
    • Creating user
    • User’s modification and deletion, (User List)
  • Create, modify and delete a role (Create Role), (Role List)
  • Default user and passwords
  • Changing password for the system account
  • Module Access

• Settings
  • General Settings
  • License (License Info)
    • Renew license
  • Special accounts

• Alert Module
  • Enabling the Alert Module
  • SMTP server configuration
  • Creating Alerts
  • Alerts status
  • Alert Types
    • Any
    • Blacklist
    • Whitelist
    • Change
    • Frequency
    • Spike
    • Flatline
    • New Term
    • Cardinality
    • Metric Aggregation
    • Percentage Match
    • Unique Long Term
    • Find Match
    • Consecutive Growth
    • Logical
    • Chain
    • Difference
  • Alert Methods
    • Email
    • User
    • Command
    • The Hive
  • Alert Content
  • Example of rules
    • Unix - Authentication Fail
    • Windows - Firewall disable or modify
    • SIEM Rules
  • Playbooks
    • Create Playbook
    • Playbooks list
    • Linking Playbooks with alert rule
    • Playbook verification
  • Risks
    • Create category
    • Category list
    • Create risk
    • List risk
    • Linking risk with alert rule
    • Risk calculation algorithms
    • Adding a new risk calculation algorithm
    • Using the new algorithm
    • Additional modification of the algorithm (weight)
  • Incidents
    • Incident Escalation
    • Context menu for Alerts::Incidents
      • Important file paths
      • List element template
      • Action function template
      • Steps to add the first custom action to the codebase
      • Steps to add a second and subsequent custom actions
      • Updating system
  • Indicators of compromise (IoC)
    • Configuration
      • Bad IP list update
      • Scheduling bad IP lists update
      • Configuration alert rule
  • Calendar function
    • Create a calendar system

• SIEM Plan
  • System security
    • Windows Events
      • Events ID repository
    • Netflow analyzis
      • Installation
        • Install/update logstash codec plugins for netflox and sflow
      • Configuration
        • Enable Logstash pipeline
        • Elasticsearch template installation
        • Importing Kibana dashboards
        • Enable bad reputation lists update
        • Enable reverse dns lookup
  • Security rules
    • MS Windows SIEM rules
    • Network Switch SIEM rules
    • Cisco ASA devices SIEM rules
    • Linux Mail SIEM rules
    • Linux DNS Bind SIEM Rules
    • Fortigate Devices SIEM rules
    • Linux Apache SIEM rules
    • RedHat / CentOS system SIEM rules
    • Checkpoint devices SIEM rules
    • Cisco ESA devices SIEM rule
    • Forcepoint devices SIEM rules
    • Oracle Database Engine SIEM rules
    • Paloalto devices SIEM rules
    • Microsoft Exchange SIEM rules
    • Juniper Devices SIEM Rules
    • Fudo SIEM Rules
    • Squid SIEM Rules
    • McAfee SIEM Rules
    • Microsoft DNS Server SIEM Rules
    • Microsoft DHCP SIEM Rules
    • Linux DHCP Server SIEM Rules
    • Cisco VPN devices SIEM Rules
    • Netflow SIEM Rules
    • MikroTik devices SIEM Rules
    • Microsoft SQL Server SIEM Rules
    • Postgress SQL SIEM Rules
    • MySQL SIEM Rules

• Archive
  • Configuration
    • Enabling module
  • Archive Task
    • Create Archive task
    • Task List
  • Archive Search
    • Create Search task
    • Task list
  • Archive Upload
    • Create Upload task
    • Task List
  • Command Line tools
    • zstd
    • zstdcat
    • zstdgrep
    • zstdless
    • zstdmt

• Intelligence Module
  • The fixed part of the screen
  • Screen content for regressive algorithms
  • Screen content for the Trend algorithm
  • Screen content for the neural network (MLP) algorithm
  • AI Rules List
  • AI Learn
  • AI Learn Tasks
  • Scenarios of using algorithms implemented in the Intelligence module
    • Teaching MLP networks and choosing the algorithm to use:
    • Starting the MLP network algorithm:
    • Starting regression algorithm:
    • Management of available rules:
  • Scheduler Module
  • Permission
  • Register new algorithm

• Verification steps and logs
  • Verification of Elasticsearch service
  • Verification of Logstash service
    • Debuging

• Building a cluster
  • Node roles
  • Naming convention
  • Config files
  • Example setup
  • Adding a new node to existing cluster
  • Cluster HOT-WARM-COLD architecture

• Integration with AD
  • AD configuration
  • Configure SSL suport for AD authentication
  • Role mapping
  • Password encryption
• Integration with Radius
  • Configuration
• Integration with LDAP
  • Configuration

• Configuring Single Sign On (SSO)
  • Configuration steps
  • Client (Browser) Configuration##
    • Internet Explorer configuration
    • Chrome configuration
    • Firefox configuration

• Configure email delivery
  • Configure email delivery for sending PDF reports in Scheduler.
  • Basic postfix configuration
  • Example of postfix configuration with SSL encryption enabled

• Wiki
  • Wiki.js
    • Login to Wiki
    • Creating a public site
    • Creating a site with the permissions of a given group
    • Content management
      • Text formatting features
      • Insert Links
      • Insert images
    • Create a “tree” of documents

• API
  • Kibana API
    • Kibana Import API
    • Kibana Export API
  • Elasticsearch API
  • Elasticsearch Index API
    • Adding Index
    • Delete Index
    • API useful commands
  • Elasticsearch Document API
    • Create Document
    • Delete Document
    • Useful commands
  • Elasticsearch Cluster API
    • Useful commands
  • Elasticsearch Search API
    • Useful commands
  • Elasticsearch - Mapping, Fielddata and Templates
    • Useful commands
    • Create - Mapping / Fielddata
    • Create Template
    • Delete Mapping
    • Delete Template
  • AI Module API
    • Services
    • List rules
    • Show rules
    • Create rules
    • Update rules
    • Delete rules
  • Alert module API
    • Create Alert Rule
    • Save Alert Rules
  • Reports module API
    • Create new task
    • Checking the status of the task
    • Downloading results
  • License module API
    • Reload License API
  • Role Mapping API
  • User Module API

• Logstash
  • Logstash - Input “beats”
    • Getting data from share folder
      • Input - FTP server
      • Input - SFTP server
      • Input - SMB/CIFS server
  • Logstash - Input “network”
  • Logstash - Input SNMP
  • Logstash - Input HTTP / HTTPS
  • Logstash - Input File
  • Logstash - Input database
    • Logasth input - MySQL
    • Logasth input - MSSQL
    • Logstash input - Oracle
    • Logstash input - PostgreSQL
  • Logstash - Input CEF
  • Logstash - Input OPSEC
    • Build FW1-LogGrabber
      • Download dependencies
      • Compile source code
    • Install FW1-LogGrabber
      • Set environment variables
      • Configuration files
      • lea.conf file
        • fw1-loggrabber.conf file
    • Command line options
      • Help
      • Debug level
      • Location of configuration files
      • Remote log files
      • Name resolving behaviour
      • Checkpoint firewall version
      • Online and Online-Resume modes
      • Audit and normal logs
      • Filtering
        • Supported filter arguments
        • Example filters
    • Checkpoint device configuration
    • FW1-LogGrabber configuration
      • Authenticated SSL OPSEC connections
        • Checkpoint device configuration
        • FW1-LogGrabber configuration
      • Authenticated OPSEC connections
        • Checkpoint device configuration
        • FW1-LogGrabber configuration
      • Unauthenticated connections
        • Checkpoint device configuration
        • FW1-LogGrabber configuration
  • Logstash - Input SDEE
    • Download
    • Installation
    • Configuration
  • Logstash - Input XML
  • Logstash - Input WMI
    • Installation
    • Configuration
  • Logstash - Filter “beats syslog”
  • Logstash - Filter “network”
  • Logstash - Filter “geoip”
  • Logstash avoiding duplicate documents
  • Logstash data enrichment
    • Filter jdbc
    • Filter logstash-filter-ldap
      • Download and installation
      • Configuration
        • Input event
        • Logstash filter
        • Output event
      • Parameters availables
      • Buffer
      • Memory Buffer
      • Persistant cache buffer
    • Filter translate
    • External API
  • Logstash - Output to Elasticsearch
  • Logstash plugin for “naemon beat”
  • Logstash plugin for “perflog”
  • Single password in all Logstash outputs
  • Secrets keystore for secure settings
  • Enabling encryption for Apache Kafka clients
    • The Kafka installation
    • Enabling encryption in Kafka
    • Configuring Kafka Brokers
    • Configuring Kafka Clients

• Integrations
  • OP5 - Naemon logs
    • Logstash
    • Elasticsearch
    • Energy Logserver Monitor
    • Elasticsearch
  • OP5 - Performance data
    • Elasticsearch
    • Logstash
    • Energy Logserver Monitor
    • Kibana
  • OP5 Beat
    • Installation for Centos7 and newer
    • Installation for Centos6 and older
  • The Grafana instalation
  • The Beats configuration
    • Kibana API
  • Wazuh integration
    • Deploying Wazuh Server
    • Deploing Wazuh Agent
    • Filebeat configuration
  • BRO integration
  • 2FA authorization with Google Auth Provider (example)
    • Software used (tested versions):
    • The NGiNX configuration:
    • The oauth2_proxy configuration:
    • Service start up
  • Cerebro - Elasticsearch web admin tool
    • Software Requirements
    • Firewall Configuration
    • Cerebro Configuration
    • Optional configuration
  • Elasticdump
    • Location
    • Examples of use
      • Copy an index from production to staging with analyzer and mapping
      • Backup index data to a file:
      • Backup and index to a gzip using stdout
      • Backup the results of a query to a file
      • Copy a single shard data
      • Backup aliases to a file
      • Import aliases into ES
      • Backup templates to a file
      • Import templates into ES
      • Split files into multiple parts
      • Import data from S3 into ES (using s3urls)
      • Export ES data to S3 (using s3urls)
      • Import data from MINIO (s3 compatible) into ES (using s3urls)
      • Export ES data to MINIO (s3 compatible) (using s3urls)
      • Import data from CSV file into ES (using csvurls)
      • Copy a single index from a elasticsearch:
      • Copy a single type:
    • Usage
    • All parameters
    • Elasticsearch’s Scroll API
    • Bypassing self-sign certificate errors
    • An alternative method of passing environment variables before execution
  • Curator - Elasticsearch index management tool
    • Curator installation
    • Curator configuration
    • Running Curator
    • Sample configuration file
    • Sample action file
  • Cross-cluster Search
    • Configuration
    • Security
  • Sync/Copy
    • Configuration
    • Synchronize data
    • Copy data
    • Running Sync/Copy
  • XLSX Import
    • Importing steps
  • Logtrail
    • Configuration
    • Logstash configuration
    • Kibana configuration
    • Using Logtrail
  • Tenable.sc
    • Configuration
  • Qualys Guard
    • Configuration
  • Embedding dashboard in iframe

• Troubleshooting
  • Recovery default base indexes
  • Too many open files
  • The Kibana status code 500
  • Diagnostic tool
    • Running the diagnostic tool

• Upgrades
  • Upgrade from version 7.0.5
    • General note
    • Preferred Upgrade steps
    • Alternative Upgrade steps (without install.sh script)
  • Upgrade from version 7.0.4
    • General note
    • Preferred Upgrade steps
    • Alternative Upgrade steps (without install.sh script)
  • Upgrade from version 7.0.3
    • General note
    • Upgrade steps
  • Upgrade from version 7.0.2
    • General note
    • Upgrade steps
  • Upgrade from version 7.0.1
    • General note
    • Upgrade steps
  • Upgrade from 6.x
    • Pre-upgrade steps for data node
    • Upgrade Energy Logserver Data Node
    • Post-upgrade steps for data node
    • Upgrade Energy Logserver Client Node
  • Changing OpenJDK version
    • Logstash
    • Elasticearch

• Agents module
  • Component modules
  • Agent Module installation
  • Linux Agent installation
  • Windows Agent installation
  • Agent module compatibility
  • Beats agents installation
    • Windows
      • Winlogbeat
        • Installation
        • Configuration
      • Filebeat
        • Installation
        • Configuration
      • Merticbeat
        • Installation
        • Configuration
      • Packetbeat
        • Installation
        • Configuration
    • Linux
      • Filebeat
        • Installation
        • Configuration
      • Merticbeat
        • Installation
        • Configuration
      • Packetbeat
        • Installation
        • Configuration

• Monitoring
  • Skimmer
  • Skimmer Installation
  • Skimmer service configuration
    • Skimmer GUI configuration
    • Skimmer dashboard
    • Expected Data Nodes

• Kafka
  • The Kafka installation
  • Enabling encryption in Kafka
  • Configuring Kafka Brokers
  • Configuring Kafka Clients
  • Log retention for Kafka topic
• CHANGELOG
  • v7.0.6
    • NewFeatures
    • Improvements
    • BugFixes
  • v7.0.5
    • NewFeatures
    • Improvements
    • BugFixes
  • v7.0.4
    • NewFeatures
    • Improvements
    • BugFixes
  • v7.0.3
    • New Features
    • Improvements
    • BugFixes
  • v7.0.2
    • New Features
    • Improvements
    • BugFixes
  • v7.0.1