topic Re: The precise sourcetype setting when importing ESET logs in Getting Data In

The precise sourcetype setting when importing ESET logs

dum0785 — Wed, 29 Aug 2018 07:05:20 GMT

I currently use the ESET Remote Administrator.
However, I can not divide log fields with sourcetype.
Please tell me the precise sourcetype setting when importing ESET logs.

2018-08-28T10:59:14+09:00   eset.user.info  {"message":"1 2018-08-28T01:59:14.307Z iptpeset01 ERAServer 5360 - -   {\"event_type\":\"Audit_Event\",\"ipv4\":\"172.18.1.30\",\"hostname\":\"eset01\",\"source_uuid\":\"014b605e-aede-40a3-b15e-c2bc1b3509a5\",\"occured\":\"28-Aug-2018 01:59:14\",\"severity\":\"Information\",\"domain\":\"Native user\",\"action\":\"Logout\",\"target\":\"Administrator\",\"detail\":\"Logging out native user 'Administrator'.\",\"user\":\"00000000-0000-0000-7002-000000000002\",\"result\":\"Success\"}"}
2018-08-28T11:34:16+09:00   eset.user.warn  {"message":"1 2018-08-28T02:34:16.220Z iptpeset01 ERAServer 5360 - -   {\"event_type\":\"Threat_Event\",\"ipv4\":\"172.17.18.249\",\"hostname\":\"local\",\"source_uuid\":\"e2b5397c-c61b-43e0-9ae6-f53acf0cae7b\",\"occured\":\"28-Aug-2018 02:33:47\",\"severity\":\"Warning\",\"threat_type\":\"test file\",\"threat_name\":\"Eicar\",\"scanner_id\":\"HTTP filter\",\"scan_id\":\"virlog.dat\",\"engine_version\":\"17954 (20180827)\",\"object_type\":\"file\",\"object_uri\":\"http://www.eicar.org/download/eicar.com.txt\",\"action_taken\":\"connection terminated\",\"threat_handled\":true,\"need_restart\":false,\"username\":\"yamada\",\"processname\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\"circumstances\":\"Threat was detected upon access to web.\",\"hash\":\"3395856CE81F2B7382DEE72602F798B642F14140\"}"}

Re: The precise sourcetype setting when importing ESET logs

inventsekar — Wed, 29 Aug 2018 07:18:34 GMT

maybe, ESET app can give you some ideas...
TA for Eset Remote Administrator
https://splunkbase.splunk.com/app/3867/#/overview

basically, sourcetype you can set it your self whatever convenient to you..

Re: The precise sourcetype setting when importing ESET logs

dum0785 — Wed, 29 Aug 2018 07:28:38 GMT

Is it impossible with Edit Source's Advanced?
Or regular expression..

Re: The precise sourcetype setting when importing ESET logs

inventsekar — Wed, 29 Aug 2018 07:54:01 GMT

i am actually not getting your question..
when we ingest/on board log files, on the inputs.conf file, we can assign any source/sourcetype as per our convenience.. the standard log files like linux/windows may have some standards as they are common.

for log files like ESET app, if i am in your place, i would simply assign "eset" as the sourcetype and the file's fullpath would be the source.

Re: The precise sourcetype setting when importing ESET logs

mstjohn_splunk — Wed, 29 Aug 2018 21:49:30 GMT

hi @dum0785,

Did @inventsekar answer your question? If not, could you give us some more details about your problem? In general, you have a better chance of getting your question answered the more context you provide. Thanks and happy Splunking!