SMBv1 Logs - Collector Configuration

I've enabled collection of SMBv1 events on a few domain controllers that are still using it.  How do I have the collector agent pull those logs in?

They're located here: Microsoft-Windows-SMBServer\Audit

  • You will need to add the connector to the agent in order to begin collecting the logs. From the web console go to Manage -> Nodes. Use the filter options to show just agents. Locate the server you wish to collect the SMB logs on, place a check next to it and click Manage Node Connectors. Search for SMB and once the connector is found select it and click Add Connector. Once the connector is added make sure to Start it and going forward new logs from the Microsoft-Windows-SMBServer\Audit should start showing within the web console.