Controlling SMB Logs

Updated May 08, 2024 16:21

When you add a source with the SMB protocol, you can control the logs through web interface or CLI. Controlling logs from the web interface is an easier process.

Web Interface Method:

Using the Search module in Logsign Unified SecOps Platform web interface, you can search the source logs by typing the source name or IP address.

As an example, you can use Source.IP:"192.168.1.80" EventSource.Product:"IIS" queries.

CLI Method:

You have to connect to Logsign Unified SecOps Platform with ssh to check the logs via CLI. Follow the steps given below to check the source logs which is added with the SMB protocol.

You can see the source logs in the raw logs or in the normalized logs.

Raw logs are written in the file with the gz extension which starts with collected.raw.customer in the /opt/var/log folder.

You can view raw logs with the command "zcat collected.raw.customer@1238@0.0.0.0.2019-11-13.gz". You can use a filter as shown below to view only the logs from a specific source.

Screen_Shot_2019-11-13_at_10.18.33.png

You can see the logs whose normalization process is completed as shown below.

Screen_Shot_2019-11-13_at_10.22.27.png

Articles in this section

Become a Certified Logsign User/Administrator

Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.

Visit Our Blog

Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.