How to implement and manage LogPoint’s SIEM tool
LogPoint is based on a highly scalable and flexible architecture. The solution offers many options for a SIEM implementation custom fit for your environment. Starting with just one server, LogPoint easily scales to provide a future-proof upgrade path.
The LogPoint licensing model is based on the number of log sources consumed, not the data volume or events per second. The model is unique, allowing you to design and deploy a multi-server environment, irrespective of the size of the archive, amount of log data or number of users – without affecting the cost.
The LogPoint implementation can be performed in part or full by a LogPoint-certified partner. Our partners provide installation, configuration and customization support. Many partners are also Managed Security Service Providers (MSSPs).
A look at the SIEM implementation process:
Begin the LogPoint implementation process with a workshop, either internally or hosted by a LogPoint partner, to define and agree upon the project scope and timeline. The workshop should address:
Develop a prioritized list of initial use cases to dictate necessary log sources.
Identify log sources within the project scope to determine if it’s necessary to configure any devices to obtain relevant information.
Define timeframe for log data storage from various sources.
Finalize the project information document, which should consist of all log sources, corresponding IP addresses, types of systems and brands.
Roles and responsibilities
Identify key members of the implementation team, including a project manager for large implementations, and assign responsibilities.
Establish a process to manage information generated post-implementation.
Following a workshop and defined scope, you can design your LogPoint solution for SIEM implementation. The design includes:
Consider a standalone or distributed solution as well as future scaling options. LogPoint solutions feature:
- Standalone server
- Search head, which provides a web-based user interface featuring dashboards and reports
- Backend server for indexing and storage
- LogPoint collector to receive logs and forward logs to a centralized backend for storage
- Syslog forwarder to transport logs over secure network boundaries
Calculate the necessary LogPoint resources by determining the expected amount of log data (EPS), number of simultaneous analysts (users) and number of alerts.
Review data retention requirements to estimated storage. You can also consider several tiered storage solutions.
Select a physical or virtual LogPoint server for your SIEM Implementation. Physical servers deliver better performance for indexing servers. Install the LogPoint software appliance and operating system (Ubuntu 16.04 LTS) from an ISO image.
Alternatively, consider a LogPoint appliance, which ships with the software pre-installed. Implementing a distributed solution, you can combine physical and virtual appliances as needed. LogPoint provides a license file and updates to be applied.
To configure LogPoint, simply set system parameters, including an IP address and network information. Additional configuration is executed through the web-based user interface:
- For distributed solutions, connect LogPoint servers.
- Enable LDAP authentication for users who want to access LogPoint using their AD credentials.
- Import application packs, which include ready-made normalizations, dashboards and report templates for your log sources.
- Configure your log sources in LogPoint to start receiving data.
- Set-up required dashboards.
- Schedule required reports.
- Enable required alerts.