When you add a source with the SMB protocol, you can control the logs through web interface or CLI. Controlling logs from the web interface is an easier process.
Web Interface Method:
Using the Search module in Logsign Unified SecOps Platform web interface, you can search the source logs by typing the source name or IP address.
As an example, you can use Source.IP:"192.168.1.80" EventSource.Product:"IIS" queries.
CLI Method:
You have to connect to Logsign Unified SecOps Platform with ssh to check the logs via CLI. Follow the steps given below to check the source logs which is added with the SMB protocol.
You can see the source logs in the raw logs or in the normalized logs.
Raw logs are written in the file with the gz extension which starts with collected.raw.customer in the /opt/var/log folder.
You can view raw logs with the command "zcat collected.raw.customer@1238@0.0.0.0.2019-11-13.gz". You can use a filter as shown below to view only the logs from a specific source.
You can see the logs whose normalization process is completed as shown below.