SMB Tail protocol configuration options
You can configure a log source to use the SMB Tail protocol. Use this protocol to watch events on a remote Samba share and receive events from the Samba share when new lines are added to the event log.
The SMB Tail protocol is an active outbound protocol.
Parameter | Description |
---|---|
Protocol Configuration | SMB Tail |
Log Source Identifier | Type the IP address, hostname, or a unique name to identify your log source. |
Server Address | The IP address or hostname of your SMB Tail server. |
Domain |
Type the domain for your SMB Tail server. This parameter is optional if your server is not in a domain. |
Username | Type the username that is required to access your server. |
Password | Type the password that is required to access your server. |
Confirm Password | Confirm the password that is required to access the server. |
Log Folder Path | The directory path to access the log files. For
example, administrators can use the c$/LogFiles/ directory for an
administrative share, or the LogFiles/ directory for a public share folder
path. However, the c:/LogFiles directory is not a supported log folder
path. If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges that are required to read the log files. Local system or domain administrator privileges are also sufficient to access all log files that are on an administrative share. |
File Pattern | The regular expression (regex) that identifies the event logs. |
SMB Version |
Select the version of Server Message Block (SMB) that you want to use.
Note: Before you create a log source with a specific SMB version (for example: SMBv1, SMBv2, and
SMBv3), ensure that the specified SMB version is supported by the Windows OS that is running on your server. You also need to verify that SMB
versions are enabled on the specified Windows
Server.
For more information about which Windows version supports which SMB versions, go to the Microsoft TechNet website (https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/ ). For more information about how to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server, go to the Microsoft support website (https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server). |
Force File Read | If the checkbox is cleared, the log file is read only when QRadar detects a change in the modified time or file size. |
Recursive | If you want the file pattern to search sub folders, use this option. By default, the checkbox is selected. |
Polling Interval (in seconds) | Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds. |
Throttle Events/Sec | The maximum number of events the SMB Tail protocol forwards per second. |
File Encoding | The character encoding that is used by the events in your log file. |
File Exclusion List | A list of regular expressions that prevent certain file directories from opening. The list
includes one regular expression per line. When a file or directory matches one of the regular expressions, that file or directory does not open. When a file is in use, other applications might not be able to use it. Use this parameter to prevent locking those files or to prevent the protocol from accessing specific files. The pattern does not apply to the full Log Folder Path. It applies only to the final directory that is listed in the path. The pattern applies against all files or directories that are found within the Log Folder Path's directory. The following list is an example of what you can enter in this field. /j50.*\.log dhcp\.mdb dhcp\.tmp |