SIEM Collector Dialog |
Description |
![]() |
The SIEM Collector dialog is used to create a log collector service that analyzes logs for events. |
Name field | Specifies the name for the Collector, which can be anything. |
Type field | Lists and specifies the types of logs that will be collected. |
Source field | Specifies the log collection source, which can be an Instance, Sky Node, or Nexus. |
Collector field | Specifies the collector service that will be used to collect the logs, which can be File for collecting data from log files, Docker for collecting data from Docker logs, or System for collecting data from operating system logs. |
Log Name field | Specifies the full path and name of the log file. |
Parser field | Specifies the name of a predefined parser or the regex expression that will be used to parse the log file. |
Filter section | The filter section specifies the inclusion of specific patterns or the exclusion of white noise patterns in the logs being collected. |
Add button | Adds the inclusion or exclusion filter rule for the collector service to define which log patterns should be included or excluded during log collection. |
Remove button | Removes the inclusion or exclusion rule from the collector service, allowing adjustments to the log collection filters. |
Create button | Saves the Collector configuration and provisions it. |
Cancel button | Abort and close the dialog. |
SIEM Collector Actions Menu |
Description |
![]() |
On the right-hand side of the SIEM Collector list view, you will find the "Actions" menu that displays shortcut icons and the dropdown menu icon. Below, we have listed the actions for the SIEM Collector module. |
Copy ID item | Stores the Collector ID in the clipboard. |
Edit Collector item | Opens the SIEM Collector dialog in edit mode, allowing modifications. |
Open Observer item | Opens the Observer dialog, which is used to perform searches and define rules for detecting and responding to events. |
Purge Collector item | Opens a confirmation dialog, and if confirmed, purges all logs from the collector. |
Delete Collector item | Opens a confirmation dialog that, if confirmed, deletes the Collector service. |
Observer Dialog |
Description |
![]() |
The Observer dialog is used to perform searches and define patterns for detecting events within the collected logs. |
Observer Rules panel | Lists the saved rules in the Observer for detecting specific events based on predefined patterns and conditions. |
Observer Query section | Searches and retrieves the records matching the specified search pattern, displaying a maximum of 1000 rows. |
Time Scope field | Specifies the time range for the search, allowing it to cover up to 30 days of historical data. |
Query field |
Defines the search pattern using the Human Query Language (HQL), which operates as follows:
|
Search button | Initiates the search process based on the defined search pattern. You can also press the Enter key in the Query field to start the search. |
Raise Event field | Specifies the Event Hub where the rule will send an event notification containing the log JSON data. |
Nexus Action field |
The Nexus Action field is visible only when the collector is defined as Nexus Log. It contains special
actions
designed to protect and notify regarding events occurring on the Nexus server. The following actions can be
triggered:
|
Add Rule button | Adds the specified rule to the Observer process, allowing the system to monitor for the defined patterns. |
Run Query button | Executes the saved rule query from the Query field without triggering any events. |
Delete Rule button | Removes the rule from the Observer process. |
The siemcollector PolicyThe following is a list of policy grants that define and regulate access permissions for both users and the API. To manage these policies, please use the Roles dialog. |
||
Grants |
Description |
API Command |
full | Grants full access | ALL |
add-rule | Permits the addition of a rule to the Observer process. | add-rule |
delete | Permits the deletion of the item. | delete |
delete-rule | Permits the removal of a rule from the Observer process. | delete-rule |
edit | Permits access to the "Edit" dialog. | |
list | Permits listing in the List View area or as JSON objects. | list |
new | Permits access to the new "Provisioning" dialog. | |
observer | Permits access to the "Observer" dialog. | |
purge | Permits purging of all log entries. | purge |
save | Permits execution of the provisioning process. | create, update |
search | Permits querying of log entries. | search |