Energy Logserver 7.x User Guide

• About
• Installation
  • System Requirements
  • Installation method
    • Interactive installation using “install.sh”
    • Non-interactive installation mode using “install.sh”
    • Check cluster/indices status and Data Node version
    • Generating basic system information report
    • “install.sh” command list
    • Post installation steps
    • Scheduling bad IP lists update
    • Web Application Firewall requriments
  • Docker support

• Configuration
  • Plugins Management
    • GUI
      • Enabling/Disabling Plugins
      • Installing Plugins
      • Listing plugins
      • Removing plugins
      • Updating plugins
    • Data Node
      • Enabling/Disabling Plugins
      • Installing Plugins
      • Listing plugins
      • Removing plugins
      • Updating plugins
  • Transport layer encryption
  • Offline TLS Tool
    • General usage
    • Command line options
    • Examples
    • Root CA
    • Intermediate CA
    • Node and Client certificates
      • Global and default settings
      • Node certificates
    • Admin and client certificates
    • Documentation link
    • Adding certificates after the first run
    • Creating CSRs
    • Configuring ciphers for TLS settings
      • Logserver Data Node
      • Logserver GUI
      • Cerebro
        • 7.6.0 and before
      • E-doc
        • 7.6.0 and before
  • Network Probe
    • 7.6.0 and before
    • Masteragent
  • Browser layer encryption
  • Building a cluster
    • Node roles
    • Naming convention
    • Config files
    • TLS Certificates
    • Example setup
    • Adding a new node to the existing cluster
  • Disk-based shard allocation
    • What is a watermark
    • Configuring watermark stages
    • Flood stage and read-only mode
  • Authentication with Active Directory
    • Configure SSL support for AD authentication
    • Role mapping
    • Password encryption
  • Authentication with Radius
    • Configuration
  • Authentication with LDAP
    • Configuration
  • Configuring Single Sign On (SSO)
    • Configuration steps
    • Client (Browser) Configuration
      • Internet Explorer configuration
      • Chrome configuration
      • Firefox Configuration
    • KBC error codes
  • Configure email delivery
    • Configure email delivery for sending PDF reports in Scheduler
      • Configuration file for postfix mail client
      • Basic postfix configuration
      • Example of postfix configuration with SSL encryption enabled
  • Custom notification on the workstation
  • Agents module
    • Preparations
    • Installation of MasterAgent - Server Side
    • Installation of Agent - Client Side
      • Linux
      • Windows
    • Beats - configuration templates
    • Agent module compatibility
    • Windows - Beats agents installation
      • Winlogbeat
        • Installation
        • Configuration
        • Drop event
          • equals
          • contains
          • regexp
          • range
          • network
          • has_fields
          • or
          • and
          • not
        • Internal queue
      • Filebeat
        • Installation
        • Configuration
      • Metricbeat
        • Installation
        • Configuration
      • Packetbeat
        • Installation
        • Configuration
    • Linux - Beats agents installation
      • Filebeat
        • Installation
        • Configuration
      • Metricbeat
        • Installation
        • Configuration
      • Packetbeat
        • Installation
        • Configuration
  • Kafka
    • The Kafka installation
  • Kafka encryption
    • Configuring Kafka Brokers
    • Configuring Kafka Clients
    • Log retention for Kafka topic
  • Event Collector
    • Configuration steps
      • Installation of Event Collector
      • Generate certificate
      • Event Collector Configuration
      • Install dependencies
      • Running Event Collector service
      • Windows host configuration
      • Network Probe pipeline configuration
      • Enabling Network Probe pipeline
      • Data Node template
      • Building the subscription filter
  • Cerebro Configuration
  • Field level security
  • Default Language
    • Changing default language for GUI
    • Preparing translation for GUI
      • Bullet points for translations
      • FAQ
      • Known issues

• Upgrades

• User Manual
  • Introduction
    • Data Node
    • Logserver GUI
    • Network Probe
  • Data source
  • System services
  • First login
  • Index selection
  • Discovery
    • Time settings and refresh
    • Fields
    • Filtering and syntax building
      • Syntax
      • Filters
      • Operators
      • Wildcards
      • Regular expressions
      • Fuzziness
      • Proximity searches
      • Ranges
    • Saving and deleting queries
      • Save query
      • Open query
      • Delete query
    • Manual incident
  • Visualizations
    • Creating visualization
      • Create
      • Load
    • Visualization types
    • Edit visualization and saving
      • Editing
      • Saving
      • Load
  • Dashboards
    • Create
    • Saving
    • Load
    • Sharing dashboards
    • Dashboard drill down
  • Reports
    • CSV Report
    • PDF Report
    • PDF report from the table visualization
    • Scheduler Report (Schedule Export Dashboard)
  • User roles and object management
    • Users, roles, and settings
    • Creating a User (Create User)
      • Creating user
    • User’s modification and deletion, (User List)
    • Create, modify, and delete a role (Create Role), (Role List)
    • Default user and passwords
    • Changing the password for the system account with password utility
      • Updating a user password (example)
    • Module Access
    • Manage API keys
    • Separate data from one index to different user groups
  • Settings
    • General Settings
    • License (License Info)
      • Renew license
    • Special accounts
  • Backup/Restore
    • Backing up
    • Restoration from backup
  • Audit actions
    • AUTHORIZATION PLUGIN
    • CONFIG
    • REPORTS
    • INDEX MANAGEMENT
    • ARCHIVE
    • ALERTS
    • SYNC
    • AGENTS
    • INTELLIGENCE
    • NETWORK-PROBE
    • SCHEDULER
  • Index management
    • Close action
    • Delete action
    • Force Merge action
    • Shrink action
    • Rollover action
    • Index rollover
    • Custom action
      • Open index
      • Replica reduce
      • Index allocation
      • Cluster routing
    • Preinstalled actions
      • Close-Daily
      • Close-Monthly
      • Disable-Refresh-Older-Than-Days
      • Disable-Refresh-Older-Than-Month
      • Force-Merge-Older-Than-Days
      • Force-Merge-Older-Than-Months
      • Logtrail-default-delete
      • Logtrail-default-rollover
  • Task Management
    • Long Running Query
    • Searchbar and filtering
    • Task Details
  • Archive
    • Configuration
      • Enabling module
    • Archive Task
      • Create Archive task
      • Task List
    • Archive Search
      • Create Search task
      • Task list
    • Archive Restore
      • Create Restore task
      • Task List
    • Search/Restore task with archives without metadata
    • Archive Directory Structure
    • Archives Checksum Verification
      • Starting Verification
      • Verification Result
        • When all files are okay:
        • When results are partially correct:
        • When all files are failed:
    • Identifying progress of archivisation/restoration process
      • Uncompleted Tasks removal
    • Command Line tools
      • zstd
      • zstdcat
      • zstdgrep
      • zstdless
      • zstdmt
  • E-doc
    • Login to E-doc
    • Creating a public site
    • Creating a site with the permissions of a given group
    • Content management
      • Text formatting features
      • Insert Links
      • Insert images
      • Create a “tree” of documents
      • Embed allow iframes
      • Conver Pages
  • CMDB
    • Infrastructure tab
    • Relations Tab
    • Integration with network_visualization
  • Cerebro - Cluster Health
  • Data dump
  • Data Node index management tool
  • Cross-cluster Search
    • Configuration
    • Security
  • Sync/Copy
    • Configuration
    • Synchronize data
    • Copy data
    • Running Sync/Copy
  • XLSX Import
    • Importing steps
  • Network Probe
    • Input “beats”
    • Getting data from share folder
      • Input - FTP server
      • Input - SFTP server
      • Input - SMB/CIFS server
    • Input “network”
    • Input SNMP
    • Input HTTP / HTTPS
    • Input Relp
      • Description
      • Relp input configuration options
    • Input Kafka
    • Input File
    • Input database
      • Input MySQL
      • Input MSSQL
      • Input Oracle
      • Input PostgreSQL
    • Input CEF
    • Input OPSEC
      • Build FW1-LogGrabber
      • Download dependencies
      • Compile source code
      • Install FW1-LogGrabber
      • Set environment variables
      • Configuration files
      • lea.conf file
      • fw1-loggrabber.conf file
      • Command line options
      • Help
      • Debug level
      • Location of configuration files
      • Remote log files
      • Name resolving behaviour
      • Checkpoint firewall version
      • Online and Online-Resume modes
      • Audit and normal logs
      • Filtering
      • Supported filter arguments
      • Example filters
      • Checkpoint device configuration
      • FW1-LogGrabber configuration
      • Authenticated SSL OPSEC connections
      • Checkpoint device configuration
      • FW1-LogGrabber configuration
      • Authenticated OPSEC connections
      • Checkpoint device configuration
      • FW1-LogGrabber configuration
      • Unauthenticated connections
      • Checkpoint device configuration
      • FW1-LogGrabber configuration
    • Input SDEE
      • Configuration
    • Input XML
    • Input WMI
      • Configuration
    • Filter “beats syslog”
    • Filter “network”
    • Filter “geoip”
    • Avoiding duplicate documents
    • Data enrichment
      • Filter jdbc
      • Filter ldap
      • Configuration
      • Input event
      • Filter
      • Output event
      • Parameters available
      • Buffer
      • Memory Buffer
      • Persistant cache buffer
      • Filter translate
      • External API
      • Mathematical calculations
    • Output to Data Node
    • naemon beat
    • perflog
    • LDAP data enrichement
    • Multiline codec
  • SQL
    • SIEM Examples
      • Example 1: Check number of failed login attemps
      • Example 2: Gather host data from different sources in one place using JOIN
      • Example 3: See MAC addresses and their assigned IP addresses:
      • Example 4: Check total number of warnings from syslog:
      • Example 5: Check number of failed login attemps for every client:
    • SQL/PPL API
      • Query API
        • Query parameters
        • Request fields
          • Example request
          • Example response
        • Response fields
      • Explain API
        • Sample explain request for an SQL query
        • Sample explain request for a PPL query
        • Sample PPL query explain response
      • Paginating results
        • Example
      • Filtering results
      • Using parameters
    • Response formats
      • JDBC format
        • Example request
        • Example response
      • Energy Logserver DSL JSON format
        • Example request
        • Example response
      • CSV format
        • Example request
        • Example response
        • Sanitizing results in CSV format
        • Example
      • Raw format
        • Example request
        • Example response
        • Example
    • SQL
      • Basic queries
        • Syntax
        • Fundamentals
        • Execution Order
        • Select
          • Syntax
        • From
          • Syntax
        • Where
        • Group By
        • Having
        • Order By
        • Limit
      • Complex queries
        • Joins
          • Constraints
          • Description
          • Syntax
          • Example 1: Inner join
          • Example 2: Cross join
          • Example 3: Left outer join
        • Subquery
          • Example 1: Table subquery
          • Example 2: From subquery
      • Functions
        • Match query
          • Syntax
          • Example
        • Multi-match
          • Syntax
          • Example
        • Query string
          • Syntax
          • Example
          • Example of using query_string in SQL and PPL queries:
        • Match phrase
          • Syntax
        • Score query
          • Syntax
          • Example
        • Wildcard query
          • Syntax
          • Example
      • JSON Support
        • Querying nested collection
          • Example 1: Unnesting a nested collection
          • Example 2: Unnesting in existential subquery
      • Metadata queries
        • Syntax
        • Example 1: See metadata for indexes
        • Example 2: See metadata for a specific index
        • Example 3: See metadata for fields
      • Aggregate functions
        • GROUP BY
          • Using an identifier in GROUP BY
          • Using an ordinal in GROUP BY
          • Using an expression in GROUP BY
        • SELECT
          • Using aggregate expressions directly in SELECT
          • Using aggregate expressions as part of larger expressions in SELECT
          • Using expressions as arguments to aggregate functions
        • COUNT
        • HAVING
          • HAVING with GROUP BY
          • HAVING without GROUP BY
      • Delete
        • Setting
        • Syntax
        • Example
    • PPL - Piped Processing Language
      • Quick start
      • Example response
      • PPL syntax
        • Syntax
        • Examples
      • Commands
        • dedup
          • Syntax
          • Limitations
        • eval
          • Syntax
        • Limitation
      • fields
        • Syntax
      • parse
        • Syntax
        • Limitations
      • rename
        • Syntax
        • Limitations
      • sort
        • Syntax
      • stats
        • Syntax
      • where
        • Syntax
      • head
        • Syntax
        • Limitations
      • rare
        • Syntax
        • Limitations
      • top
        • Syntax
        • Limitations
    • Identifiers
      • Regular identifiers
      • Delimited identifiers
      • Case sensitivity
    • Data types
      • Date and time types
      • Date
      • Time
      • Datetime
      • Timestamp
      • Interval
      • Convert between date and time types
    • Functions
      • Mathematical
      • Trigonometric
      • Date and time
      • String
      • Aggregate
      • Advanced
      • Relevance-based search (full-text search)
    • Full-text search
      • Match
      • Syntax
        • Example 1: Search the message field for the text “this is a test”:
        • Example 2: Search the message field with the operator parameter:
        • Example 3: Search the message field with the operator and zero_terms_query parameters:
      • Multi-match
        • Syntax
        • For example, REST API search for Dale in either the firstname or lastname fields:
        • Query string
        • Syntax
        • Example of using query_string in SQL and PPL queries:
      • Match phrase
        • Syntax
        • Example of using match_phrase in SQL and PPL queries:
      • Simple query string
        • Syntax
        • Example of using simple_query_string in SQL and PPL queries:
      • Match phrase prefix
        • Syntax
        • Example of using match_phrase_prefix in SQL and PPL queries:
      • Match boolean prefix
        • Syntax
        • Example of using match_bool_prefix in SQL and PPL queries:
  • Automation
    • Connection
      • Example
    • Automations List
    • Credentials
    • Executions
    • Node
      • Core nodes
      • Regular nodes
      • Example
      • Trigger nodes
      • Node settings
      • Operations
      • Parameters
      • Settings
    • How to filter events
      • Example If usage
      • Example Case usage
      • IF
      • Node Reference
      • Switch
      • Node Reference
      • Spreadsheet File
      • Basic Operations
      • Node Reference
    • Automation integration nodes
  • Cooperation of logserver and antivirus program

• Log Management Plan
  • Main Features
  • Pipelines
  • Dashboards

• SIEM Plan
  • Alert Module
    • Enabling the Alert Module
    • SMTP server configuration
    • Creating Alerts
    • Alerts status
    • Alert Types
      • Any
      • Blacklist
      • Whitelist
      • Change
      • Frequency
      • Spike
      • Flatline
      • New Term
      • Cardinality
      • Metric Aggregation
      • Percentage Match
      • Unique Long Term
      • Find Match
      • Consecutive Growth
      • Logical
      • Chain
      • Difference
    • Alert Methods
      • Email
      • User
      • Command
      • The Hive
      • RSA Archer
      • Jira
      • WebHook Connector
      • Slack
      • ServiceNow
      • EnergySoar
    • Escalate
    • Recovery
    • Aggregation
    • Alert Content
    • Example of rules
      • Unix - Authentication Fail
      • Windows - Firewall disable or modify
    • Playbooks
      • Create Playbook
      • Playbooks list
      • Linking Playbooks with alert rule
      • Playbook verification
    • Risks
      • Create category
      • Category list
      • Create risk
      • List risk
      • Linking risk with alert rule
      • Risk calculation algorithms
      • Adding a new risk calculation algorithm
      • Using the new algorithm
      • Additional modification of the algorithm (weight)
    • Incidents
      • Incident Escalation
      • Context menu for Alerts::Incidents (WARNING: DEPRECATED)
    • Indicators of compromise (IoC)
      • Bad IP list update
      • Scheduling bad IP lists update
    • Calendar function
      • Create a calendar
    • Windows Events ID repository
      • Netflow analyzis
        • Enable Network Probe pipeline
        • Data Node template installation
        • Enable reverse dns lookup
    • Security rules
      • Cluster Health rules
      • MS Windows SIEM rules
      • Network Switch SIEM rules
      • Cisco ASA devices SIEM rules
      • Linux Mail SIEM rules
      • Linux DNS Bind SIEM Rules
      • Fortigate Devices SIEM rules
      • Linux Apache SIEM rules
      • RedHat / CentOS system SIEM rules
      • Checkpoint devices SIEM rules
      • Cisco ESA devices SIEM rule
      • Forcepoint devices SIEM rules
      • Oracle Database Engine SIEM rules
      • Paloalto devices SIEM rules
      • Microsoft Exchange SIEM rules
      • Juniper Devices SIEM Rules
      • Fudo SIEM Rules
      • Squid SIEM Rules
      • McAfee SIEM Rules
      • Microsoft DNS Server SIEM Rules
      • Microsoft DHCP SIEM Rules
      • Linux DHCP Server SIEM Rules
      • Cisco VPN devices SIEM Rules
      • Netflow SIEM Rules
      • MikroTik devices SIEM Rules
      • Microsoft SQL Server SIEM Rules
      • Postgress SQL SIEM Rules
      • MySQL SIEM Rules
    • Incident detection and mitigation time
    • Adding a tag to an existing alert
  • Siem Module
    • Active response
    • Log data collection
      • How it works
      • How to collect Windows logs
      • Configuration
    • File integrity monitoring
      • How it works
      • Configuration
    • Active response
      • How it works
      • Default Active response scripts
      • Configuration
    • Vulnerability detection
      • How it works
      • Running a vulnerability scan
  • Tenable.sc
    • Configuration
  • Qualys Guard
    • Configuration
  • BCM Remedy
  • SIEM Virtus Total integration
    • Configuration
  • SIEM Custom integration
  • License Service

• Network Probe
  • About
    • IDS and Full Packet Capture
    • NDR
    • Netflow
  • System Requirements
  • Installation
  • Licensing
  • Setting up the probe
    • Registration of a new probe
    • Database connection
  • Gui Plugin
    • Pipelines Management
      • Pipeline Details
      • Manage pipeline
    • Network Probes
      • Services Section
      • Pipelines Section
        • Pipeline configuration
        • Pipeline status
        • Filtering by status
        • Reload pipelines configuration
        • Enable/disable pipeline
      • Files Section
        • Filtering and searching
        • Create file
        • Update file
        • Delete file
        • Enable/disable file
        • Files parsing
        • Files’ revision consistency
        • Files re-registration
  • Troubleshooting
    • Debugging
    • Another operation in progress
    • Restarting the probe
    • Removing already registered probe
    • Re-registering probe

• Empowered AI
  • Table of Contents
  • AI Rules
    • Status
    • Actions
  • Common Elements
    • Settings and Configuration for all Analytical Use Cases
      • Defining Data Source in the Empowered AI Module
      • Configuring the Analytical Rule
      • Configuring the Scheduler
      • Accessing the Performance Tab
    • Summary
  • Univariate Anomaly Detection
    • Step 1: Configuring the Univariate Anomaly Detection Rule
    • Step 2: Running the Rule
    • Summary
  • Performance Tab for Univariate Anomaly Detection
    • Understanding the Performance Graph
      • Key Elements of the Performance Graph
      • Interpreting the Graph
      • Using the Performance Graph
    • Summary
  • Multivariate Anomaly Detection
    • Step 1: Configuring the Multivariate Anomaly Detection Rule
    • Step 2: Running the Rule
    • Summary
  • Performance Tab for Multivariate Anomaly Detection
    • Visualizing Anomalies Over Time
    • Summary
  • Clustering
    • Step 1: Configuring the Clustering Rule
    • Step 2: Running the Rule
    • Summary
  • Performance Tab for Clustering
    • Elbow Method and Optimal Number of Clusters
    • Cluster Quality Chart
    • Cluster Distribution Chart
      • Benefits of the Cluster Distribution Chart
    • Clustering Result Examples
      • Understanding the Clustering Result Examples
      • Benefits of Viewing Clustering Result Examples
    • Summary
  • Forecasting
    • Step 1: Data Aggregation
    • Step 2: Forecast Time Frame
    • Summary
  • Performance Tab for Forecasting
    • Forecast vs Actual Data Chart
    • Performance Analysis Over Time
    • Summary
  • Text Anomaly Detection
    • Key Features
    • Summary
  • Performance Tab for Text Anomaly Detection
    • Understanding the Performance Graphs
    • Using the Performance Graphs
    • Anomaly Detection Table
    • Information in the Anomaly Detection Table:
    • Expanding a Row
    • Filtering by Rare Words
    • Actions in the Table
    • Distinct Anomaly List Table
    • Summary
  • Conclusion
  • Default AI Rules
  • FAQ
  • Troubleshooting

• User and Entity Behaviour Analytics (UEBA)
  • Events
  • Empowered AI
  • Raw Logs

• Troubleshooting

• Monitoring
  • About Skimmer
  • Skimmer Installation
  • Skimmer service configuration
    • Skimmer GUI configuration
    • Expected Data Nodes

• API

• Integrations

• MSSP licensing
  • Collecting Sources
  • Managing Sources
  • Source types
    • 1. Waiting
    • 2. Allowed
    • Source removal
    • Manual change of state from Waiting to Allowed
    • Manual change of state from Allowed to Waiting
  • Fingerprint
  • The Permissive Mode
    • Turn on/off the Permissive Mode
    • Check MSSP status
    • MSSP disabled

• CHANGELOG