Microsoft IIS Source Adding via SMB

SMB protocol is one of the source addition options of the Logsign Unified SecOps Platform product. If your product, device, or software you are using logs on the file, Logsign Unified SecOps Platform will read that file and provide you with relevant results.

  1. Go to "Settings" → "Data Collection" then click on "+ Device" :

2.png

     2. Select "SMB" :

23.png

  1. You can enter Administrator credentials, or the second way is creating a local user. You can go to the inetpub file path and share it with the local user that you created. Also, you should add this user under the security tab on the same screen.

The remote host includes the following information:

  • Host: The IP address for the remote IIS server.
  • Username: "Administrator."
  • Password: The password for the administrator account.
  • Workgroup: Then network Workgroup name.

24.png

  1. Under the "Directory Tree" make sure to select the "\Logfiles2\W3SVC1\" folder that contains the log files for the IIS server :

25.png

  1. Under that make sure to enter the following information for a proper log collection :

26.png

Vendor:  Specify the brand information of the system you have used in this section. Choose Microsoft because you are configuring on Windows operating system.

Product: Specify product information in this section. IIS Server option is selected because you are setting IIS Server on Windows.

Then click the Save Pattern button to save the settings.

Please note that: You can add multiple pattern information.

Read Static Files: All files in the shared folder will be read when you tick the box.

Period: Determine how long the logs will be taken from the source. You need to specify in minutes, and the default value is thirty (30) minutes.

EPS: The expansion of the EPS variant used in the shared network world is known as Event Per Second. You can refer to the amount of data on your network that comes from the products such as Intrusion Detection System, Hardware or Software Firewall, Server, Switch and Router to the Logsign Unified SecOps Platform. In the Logsign Unified SecOps Platform product, the EPS value is set to default one thousand "1000" in the specified configurations, which is normal.

Please note that: If you think that the EPS value on your system is high, please contact the Logsign Customer Support Unit.

Data Policy: You can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. The default setting here is the Default Policy, which has the default rule is "collect all logs."

Offset: To explain it in terms of definition, let's say “time difference.” If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.

Check Health: Check this box to be informed about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when you tick the box. This part is the time interval information to be checked. 

Description: You must enter a descriptive name according to the configuration that you made (For ex. IIS1). It can provide convenience for people who analyze logs. Think of the Description field as a resource-specific area.

Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag, and make tag-based definitions while creating a report if you use multiple Exchange and define each tag as IIS1 or IIS2. If you want to query about an event, you will get a shorter result when you search according to IIS1 name. 

 

Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.