How to implement and manage LogPoint’s SIEM tool
SIEM Implementation
LogPoint is based on a highly scalable and flexible architecture. The solution offers many options for a SIEM implementation custom fit for your environment. Starting with just one server, LogPoint easily scales to provide a future-proof upgrade path.
The LogPoint licensing model is based on the number of log sources consumed, not the data volume or events per second. The model is unique, allowing you to design and deploy a multi-server environment, irrespective of the size of the archive, amount of log data or number of users – without affecting the cost.
The LogPoint implementation can be performed in part or full by a LogPoint-certified partner. Our partners provide installation, configuration and customization support. Many partners are also Managed Security Service Providers (MSSPs).
A look at the SIEM implementation process:
Workshop
Begin the LogPoint implementation process with a workshop, either internally or hosted by a LogPoint partner, to define and agree upon the project scope and timeline. The workshop should address:
Use cases
Develop a prioritized list of initial use cases to dictate necessary log sources.
Log sources
Identify log sources within the project scope to determine if it’s necessary to configure any devices to obtain relevant information.
Data retention
Define timeframe for log data storage from various sources.
PID documentation
Finalize the project information document, which should consist of all log sources, corresponding IP addresses, types of systems and brands.
Roles and responsibilities
Identify key members of the implementation team, including a project manager for large implementations, and assign responsibilities.
Processes
Establish a process to manage information generated post-implementation.
Design
Following a workshop and defined scope, you can design your LogPoint solution for SIEM implementation. The design includes:
Architecture
Consider a standalone or distributed solution as well as future scaling options. LogPoint solutions feature:
- Standalone server
- Search head, which provides a web-based user interface featuring dashboards and reports
- Backend server for indexing and storage
- LogPoint collector to receive logs and forward logs to a centralized backend for storage
- Syslog forwarder to transport logs over secure network boundaries
Hardware sizing
Calculate the necessary LogPoint resources by determining the expected amount of log data (EPS), number of simultaneous analysts (users) and number of alerts.
Storage requirements
Review data retention requirements to estimated storage. You can also consider several tiered storage solutions.
Installation
Select a physical or virtual LogPoint server for your SIEM Implementation. Physical servers deliver better performance for indexing servers. Install the LogPoint software appliance and operating system (Ubuntu 16.04 LTS) from an ISO image.
Alternatively, consider a LogPoint appliance, which ships with the software pre-installed. Implementing a distributed solution, you can combine physical and virtual appliances as needed. LogPoint provides a license file and updates to be applied.
Configuration
To configure LogPoint, simply set system parameters, including an IP address and network information. Additional configuration is executed through the web-based user interface:
- For distributed solutions, connect LogPoint servers.
- Enable LDAP authentication for users who want to access LogPoint using their AD credentials.
- Import application packs, which include ready-made normalizations, dashboards and report templates for your log sources.
- Configure your log sources in LogPoint to start receiving data.
- Set-up required dashboards.
- Schedule required reports.
- Enable required alerts.
If you need help with your SIEM implementation or ongoing SIEM management, contact a LogPoint certified partner or contact us directly.
More reading from Understand