Profiles and Vendors (logs auto recognition)

With version 5.1.0 a new concept has been introduced: logs auto recognition and categorization.
SGBox already recognizes many different log sources, and up to v5.0.7 user needed to associate the collected logs to the desired patterns to extract events.

Pre-defined classes are now associated to known vendors, and by selecting one or more profiles user defines which events should be extracted and should be available for reference.Profile selection automatically associates a recognized host to a set of pre defined classes. This is the simplest way to configure SGBox.
As always, the user can customize these configurations to tailor the SGBox layout and information according to his needs.

This operating mode must first be enabled: in the SCM>Advanced options menu, select “Automatic mode” to activate the automatic log recognition.

SGBox starts to recognise and categorise logs and you’ll be able to gradually see new assets in the SCM>Network>Assets menu.
At last you should apply the profile you prefer, by selecting the LM>Configuration>Profiles menu and check the desired profile(s). Selections are immediately activated (or de-activated) at your click.

Now SGBox will automatically recognize the known vendor’s logs and will gradually extract only the information corresponding to the selected profiles. This process can take some time, depending on the logs frequency.

If you decide to stop extracting events for a specific profile, simply uncheck it. Remember that by unchecking a profile, the corresponding events won’t be deleted. They will be saved as historical data and hidden in the interface. If you re-enable a profile, the association will be re-established and you will be able to view both historical and new data.

In any case, all the raw data is always collected, regardless the configuration you select. You can always make new configurations and re-apply them to your historical raw data to obtain a new set of events. This feature has nothing to do with data collection and you will not break in any way the raw data collection.

Please note: SGBox already has a similar mechanism used to auto configure the remote agents on Windows hosts, so that they can collect a standard set of events (SCM > Advanced options > Initial configuration). These two configuration can live together, but if you first select a profile that involves data coming from Windows agents and then de-select it, SGBox will stop extract those events. As usual you can re-enable the profile or manually configure your hosts and again, no raw data will be lost.

Multi-tenant mode. In the Multi-tenant version of SGBox, administrator can centrally assign specific profiles to the associated tenants. In SCM > Multitenant > Manager > Profiles a matrix will be presented to the administrator. Using that matrix it will be possible to assign one or more profiles to each tenant, in a single place.

Automatic log recognition is an high performance operating mode that has minimal impact to SGBox performances. Anyway, when your setup looks complete, you may consider to disable the log automatic recognition (SCM>Advanced options, uncheck “Automatic mode”). This will have no impact on the configurations, it will simply disable the automatic recognition.