File Forwarder log source configuration options
Use the reference information to configure the WinCollect plug-in for the File Forwarder log source.
You must also configure parameters that are not specific to this plug-in. The File Forwarder plug-in can be used with Universal DSM to poll many types of logs from the Windows host.
|Log Source Type||Universal DSM|
|Protocol Configuration||Select WinCollect File Forwarder.|
Disables remote collection of events for the log source. The log source uses local system credentials to collect and forward events to QRadar®.
The location of the log files to forward to QRadar.
If the WinCollect agent remotely polls for the file, the root log directory must specify both the server and the folder location for the log files.
|Filename Pattern||The regular expression (regex) that is required to filter the file names. All files that match the pattern are included in the processing. The default file pattern is .* and matches all files in the Root Directory.|
The Continuous Monitoring option is intended for files systems that append data to log files.
The File Drop option is used for the log files in the root log directory that are read one time, and then ignored in the future.
|Only Monitor Files Created Today||Enabled by default. Clear this option to monitor files from before the current day.|
|File Monitor Type||
The Notification-based (local) option uses the Windows file system notifications to detect changes to your event log.
The Polling-based (remote) option monitors changes to remote files and directories. The agent polls the remote event log and compares the file to the last polling interval. If the event log contains new events, the event log is retrieved.
|File Reader Type||
If you choose the Text (file held open) option, the system that generates your event log continually leaves the file open to append events to the end of the file.
If you choose the Text (file open when reading) option, the system that generates your event log opens the event log from the last known position, and then writes events and closes the event log.
Select the Memory Mapped Text (local only) option only when advised by IBM Professional Services. This option is used when the system that generates your event log polls the end of the event log for changes. This option requires that you also select the Local System check box.
|File Reader Encoding||
For files without a BOM, select ANSI if you want the files converted to UTF8. Otherwise, select UTF8 if the files are already in UTF8 and no conversion is needed.
|File Parser Type||Files can be parsed in two ways: Single Line or Multi Line.
|Multi Line "Starts With" Regex Token||The Multi Line File Parser Type requires a "Starts With" token. The "Starts With" token should be the regex that is required to identify every character from the beginning of the line you want to start a multi line event with. It is important to make your regex as accurate as possible to avoid combining events due to similar whitespace before the characters, and to avoid not parsing the file at all due to not finding a "Starts With" token.|
To ensure that the XML file is parsed to
generate an event for every
<event> node, use a multi-line "Starts With token of
<EventList> <event> <timeStamp=10101010101 payload=example1> </event> <event> <timeStamp=10101010102 payload=example2> </event> <event> <timeStamp=10101010103 payload=example3> </event> <event> <timeStamp=10101010104 payload=example4> </event> </EventList>
<event> <timeStamp=10101010101 payload=example1> </event>
<event>" would also work; however tabs and spaces can look the same and be coded differently. Using "
\s*<event>" is a better option, because it covers both types of white space.