When you add a source to the Logsign SIEM product with the SMB protocol, you can control the logs from the source via the web interface and CLI, but the controls you make from the web interface are simpler than the controls in the CLI.
Using the Search module in the Logsign SIEM WEB interface, you can start the search for the source logs you want to search by typing the source name or IP address.
For example, you can search using EventSource.IP: "10.10.2.22" or EventSource.Description: "WebServer" query.
The second way is to access Logsign SIEM via CLI via SSH application and then follow the steps below to check the logs from the source we added as the SMB protocol.
Using the commands below, we can see the source logs in the raw logs or the normalized logs.
Raw logs are written in the file with the gz extension that starts with the name collected.raw.customer in the /opt/var/ log folder.
You can view raw logs with the command zcat collected.raw.customer@1238@0.0.0.0.2019-11-13.gz. You will need to change the date information in the example command. You can use a filter like the example below to view only the logs from a certain source.
For the same example, you can see the logs whose normalization is completed below.