Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ESET endpoint logs

abdallah_hegazy
Explorer
‎06-28-2020 07:16 AM

Hi , 

 

i am currently integrating logs from ESET endpoint security server , we have configured ESET to send logs in JSON format , but will i have applied _json sourcetype to the logs , it didn't parse correctly  .. Any ideas  ? 

 

 

 

<12>1 2020-06-28T13:13:25.32Z eset-esmc ERAServer 1319 - - {"event_type":"EnterpriseInspectorAlert_Event","ipv4":"4.5.6.7","hostname":"desktop123","source_uuid":"b851c1bc-0b62-4ca8-888c-c004e0d002f2","occured":"28-Jun-2020 13:09:06","severity":"Warning","processname":"%PROGRAMFILES(X86)%\\google\\update\\googleupdate.exe","username":"nt authority\\system","rulename":"Potential credential dumping - Generic [F0436a]","count":1,"hash":"842AE39880C3C0BC501007B42949950C3D3B7ED3","eiconsolelink":"https://EABC:443/console/detection/29"}

<14>1 2020-06-28T12:58:55.306Z eset-esmc ERAServer 1319 - - {"event_type":"Audit_Event","ipv4":"1.2.3.4","hostname":"eset","source_uuid":"4b643875-9b90-41b7-a046-cc30f6a331d3","occured":"28-Jun-2020 12:58:55","severity":"Information","domain":"Native user","action":"Logout","target":"Administrator","detail":"Logging out native user 'Administrator'.","user":"Administrator","result":"Success"}

 

 

 Thanks .

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2020 10:43 AM

Those sample events look like syslog with JSON message fields.  Since they're not pure JSON, the _json sourcetype won't work.  If you onboard the data using these props.conf settings

[ eset_syslog ]
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=32
NO_BINARY_CHECK=true
REPORT-syslog=syslog-extractions
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z
TIME_PREFIX=\d\s
TRANSFORMS=syslog-host
TRUNCATE=10000
disabled=false

then this search will extract the fields.

index=foo sourcetype=eset_syslog | rex "(?<json>\{.*)" | spath input=json

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2020 10:43 AM

Those sample events look like syslog with JSON message fields.  Since they're not pure JSON, the _json sourcetype won't work.  If you onboard the data using these props.conf settings

[ eset_syslog ]
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=32
NO_BINARY_CHECK=true
REPORT-syslog=syslog-extractions
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%Z
TIME_PREFIX=\d\s
TRANSFORMS=syslog-host
TRUNCATE=10000
disabled=false

then this search will extract the fields.

index=foo sourcetype=eset_syslog | rex "(?<json>\{.*)" | spath input=json

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

abdallah_hegazy
Explorer
‎06-29-2020 05:15 AM

@richgalloway  thanks for your swift response .. in the meantime , i changed the logs format from the server  to leef and and made extraction at index time rather than search time using propos.conf and transforms.conf 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...