logs are collected.
I would like to ask you one more question. Although logs are collected, they are not parsed correctly. To be precise, almost all usefull information from message tracking logs, as log type (RECEIVE STORE), message subject, sender or receiver info, are showed in Packet tab where you can only see original log message. However, this way I cannot use filters to search for those parameters. For example: to search for all messages where sender or receiver is email@example.com.
By the way I have noticed this also in logs comming from Microsoft Forefront TMG, and from Oracle DB.
when you are using the Exchange Server (ASP) datasource, you should see the sender and receiver in the Source\Destination User fields. If you want to search messages by the addresses, you can use Source\Destination User filters. You probably know, that there is no possibility to use regex in the Filters, but you can use there something called "Normalization Strings":
...and - if you cant see the email addresses in the Source\Destination User fields - please ask the McAfee Support about the latest hotfix.
I'm pretty new to the SIEM, and have a couple of questions about this configuration.
- Is the Share Name and Path all defined on the data source itself?
- For the Username, I assume this is an account that the server allows access to the logs??
Resurrecting an old post as I have a similar issue.
Trying to add a file share as a data source. Use has read and modify rights. When I do a connection test I get the error:
NotOk writeability: Permission denied, readability: Ok
What exact rights does the user require?
I usually use a packet capture to troubleshoot share issues. You could run tcpdump on the Receiver (tcpdump -nni eth0 host x.x.x.x -X) while you try to mount it. The error is usually clearly stated.