Controlling SMB Logs

When you add a source with the SMB protocol, you can control the logs through web interface or CLI. Controlling logs from the web interface is an easier process.

 

Web Interface Method:


Using the Search module in Logsign Unified SecOps Platform web interface, you can search the source logs by typing the source name or IP address.

 

As an example, you can use Source.IP:"192.168.1.80" EventSource.Product:"IIS" queries.

69.png

 

CLI Method:

 

You have to connect to Logsign Unified SecOps Platform with ssh to check the logs via CLI. Follow the steps given below to check the source logs which is added with the SMB protocol.

 

You can see the source logs in the raw logs or in the normalized logs.

 

Raw logs are written in the file with the gz extension which starts with collected.raw.customer in the /opt/var/log folder.

 

You can view raw logs with the command "zcat collected.raw.customer@1238@0.0.0.0.2019-11-13.gz". You can use a filter as shown below to view only the logs from a specific source.

 

Screen_Shot_2019-11-13_at_10.18.33.png

 

You can see the logs whose normalization process is completed as shown below.

 

Screen_Shot_2019-11-13_at_10.22.27.png

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.