IBM File Forwarder source

The IBM® File Forwarder source monitors many types of logs that are not covered as part of the standard WinCollect plug-ins. You can monitor logs continuously (Continuous Monitoring), or you can scan a folder for new files, process the contents, and wait for the next file (File Drop).

Tip: Because these logs fall outside of the standard plug-ins, there is no DSM to parse the events in QRadar®. You must either create a custom DSM or use the Universal DSM.
Table 1. IBM File Forwarder source parameters
Parameter Description
Type IBM File Forwarder
Root directory Directory where the log files that you want to pull data from are stored.
Note: You no longer need to enter the UNC path for remote sources.
Filename pattern Only files that match this pattern are considered. This is an OS file filter.
*.* Will match all files
*.log will match all files with a .log extenstion
Server*.log will match all files with Server to start with and have.log extenstion
Monitor subdirectories Select if you would like the agent to monitor subdirectories of the root directory.
Monitoring algorithm
  • Continuous Monitoring is intended for log files where data is continuously appended to the end of the log file.
  • File Drop is intended for log files that are "dropped" into the root log directory, read one time, and then ignored in the future.
Note: WinCollect File Forwarder might not properly read events from files that do not contain CRLF characters to indicate the end of the payload.