Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Receive encrypted logs from ESET endpoint security

Mohali
Loves-to-Learn Lots
‎10-05-2023 02:16 AM

I'm planning to start an integration between Splunk and ESET endpoint security cloud platform, but I facing the following issue:

the Syslog-ng server started receiving uncleared/encrypted logs from the ESET endpoint security, so the logs appear on the HF server like this:


 ^A^B
 ^L
7 ^]
^W
 ^^
 ^Y
 ^X
#
^W
(^D^C^E^C^F^C^H^G^H^H^H ^H
2

I think I want to decrypt the logs when received by the syslog-ng because Splunk can't handle any decryption process, I need help with how I can decrypt the logs in the Syslog-ng.

Labels (1)
Labels
0 Karma
Reply

patrick9403
New Member
‎02-05-2024 08:13 AM

It looks like logs from ESET are encrypted.... because yes. I tried with syslog-ng and rsyslog but result is the same. I saw in the network that similar issue was reported directly to ESET

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-05-2023 01:52 PM

Firstly, it's unclear what logs we're talking about and how they relate to syslog. If it's a cloud platform it's quite unusual to send raw syslog over open internet. If it's your local part of the installation (like the logs from the endpoints themselves) are you sure they are configured correctly? Are they supposed to send syslog?

0 Karma
Reply

patrick9403
New Member
‎02-05-2024 08:10 AM

Hi,

Did you find solution? I have the same issue.

 

0 Karma
Reply

_JP
Contributor
‎10-05-2023 01:42 PM

Since you're looking for help for syslog-ng configuration, your best bet is to join the syslog-ng community

But, from a Splunk architecture/design perspective you are on the right track.  Typically people use a separate syslog receiver that writes to disk (like syslog-ng), and then have Splunk monitor that.  This way you reduce the coupling for situations where you have to restart Splunk and don't want your syslog ports to be down.

That being said, there is a Splunk Connect for Syslog app that can be used for receiving syslog data, but I am unsure if it can handle the decryption for you if you are in a bind.  Overall I much prefer having syslog being received outside of Splunk.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...