Controlling WMI Logs

You can control the logs of a device added as WMI in two different ways, through web interface or through CLI.

 

Web Interface Method:

 

Click Settings -> Integrations -> Data Collection to open the source list. Click Search button at the right of the source which you want to check.

67.png

 

CLI Method:

 

You have to connect to Logsign Unified SecOps Platform with ssh. Follow the steps given below to see the source logs in the raw logs or the normalized logs.

 

Raw logs are written in the file with the gz extension which starts with collected.raw.customer in the /opt/var/log folder.

 

You can view raw logs with the command "zcat collected.raw.customer@1238@0.0.0.0.2019-11-13.gz". You can use a filter as shown below to view only the logs from a specific source.

 

Screen_Shot_2019-11-13_at_10.35.37.png

 

You can see the logs whose normalization process is completed as shown below.

 

Screen_Shot_2019-11-13_at_10.34.27.png

Follow the steps given below to see the outputs of wmi-poller service in CLI.

mceclip0.png

Error logs can be seen with description. There is a DCOM Session issue for the example below.

mceclip1.png

Authorizations of the authentication user should be checked in DCOM settings for fixing this issue.

Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.