How to implement and manage Logpoint’s SIEM tool

Logpoint is based on a highly scalable and flexible architecture. The solution offers many options for a SIEM implementation custom fit for your environment. Starting with just one server, Logpoint easily scales to provide a future-proof upgrade path.

The Logpoint licensing model is based on the number of log sources consumed, not the data volume or events per second. The model is unique, allowing you to design and deploy a multi-server environment, irrespective of the size of the archive, amount of log data or number of users – without affecting the cost.

The Logpoint implementation can be performed in part or full by a Logpoint-certified partner. Our partners provide installation, configuration and customization support. Many partners are also Managed Security Service Providers (MSSPs).

Tip: Need a SIEM sizing tool? Check out our sizing calculator

Try the calculator!

Contact Logpoint

Workshop

Begin the Logpoint implementation process with a workshop, either internally or hosted by a Logpoint partner, to define and agree upon the project scope and timeline. The workshop should address:

Use cases

Develop a prioritized list of initial use cases to dictate necessary log sources.

Log sources

Identify log sources within the project scope to determine if it’s necessary to configure any devices to obtain relevant information.

Data retention

Define timeframe for log data storage from various sources.

PID documentation

Finalize the project information document, which should consist of all log sources, corresponding IP addresses, types of systems and brands.

Simplified role-based access control (kontrol)

Roles and responsibilities

Identify key members of the implementation team, including a project manager for large implementations, and assign responsibilities.

Processes

Establish a process to manage information generated post-implementation.

Design

Following a workshop and defined scope, you can design your Logpoint solution for SIEM implementation. The design includes:

Architecture

Consider a standalone or distributed solution as well as future scaling options. Logpoint solutions feature:

Standalone server
Search head, which provides a web-based user interface featuring dashboards and reports
Backend server for indexing and storage
Logpoint collector to receive logs and forward logs to a centralized backend for storage
Syslog forwarder to transport logs over secure network boundaries

Hardware sizing

Calculate the necessary Logpoint resources by determining the expected amount of log data (EPS), number of simultaneous analysts (users) and number of alerts.

Storage requirements

Review data retention requirements to estimated storage. You can also consider several tiered storage solutions.

Installation

Select a physical or virtual Logpoint server for your SIEM Implementation. Physical servers deliver better performance for indexing servers. Install the Logpoint software appliance and operating system (Ubuntu 16.04 LTS) from an ISO image.

Alternatively, consider a Logpoint appliance, which ships with the software pre-installed. Implementing a distributed solution, you can combine physical and virtual appliances as needed. Logpoint provides a license file and updates to be applied.

Configuration

To configure Logpoint, simply set system parameters, including an IP address and network information. Additional configuration is executed through the web-based user interface:

For distributed solutions, connect Logpoint servers.
Enable LDAP authentication for users who want to access Logpoint using their AD credentials.
Import application packs, which include ready-made normalizations, dashboards and report templates for your log sources.
Configure your log sources in Logpoint to start receiving data.
Set-up required dashboards.
Schedule required reports.
Enable required alerts.

If you need help with your SIEM implementation or ongoing SIEM management, contact a Logpoint certified partner or contact us directly.