You can control the logs of a device added as WMI to your Logsign SIEM product in two different ways through the web interface and CLI.
We open the source list from Settings > Device Management > Device List to control it from the web interface. We click on the magnifying glass icon to the right of the source for the logs we want to check.
To check using CLI, we first need to connect to Logsign SIEM with ssh.
Using the commands below, we can see the source logs in the raw logs or the normalized logs.
Raw logs are written in the file with the gz extension that starts with the name collected.raw.customer in the /opt/var/ log folder.
You can view raw logs with the command zcat collected.raw.customer@firstname.lastname@example.org. You will need to change the date information in the example command. You can use a filter like the example below to view only the logs from a certain source.
For the same example, you can see the logs whose normalization is completed below.