Getting Data In

The precise sourcetype setting when importing ESET logs

dum0785
New Member

I currently use the ESET Remote Administrator.
However, I can not divide log fields with sourcetype.
Please tell me the precise sourcetype setting when importing ESET logs.

2018-08-28T10:59:14+09:00   eset.user.info  {"message":"1 2018-08-28T01:59:14.307Z iptpeset01 ERAServer 5360 - -   {\"event_type\":\"Audit_Event\",\"ipv4\":\"172.18.1.30\",\"hostname\":\"eset01\",\"source_uuid\":\"014b605e-aede-40a3-b15e-c2bc1b3509a5\",\"occured\":\"28-Aug-2018 01:59:14\",\"severity\":\"Information\",\"domain\":\"Native user\",\"action\":\"Logout\",\"target\":\"Administrator\",\"detail\":\"Logging out native user 'Administrator'.\",\"user\":\"00000000-0000-0000-7002-000000000002\",\"result\":\"Success\"}"}
2018-08-28T11:34:16+09:00   eset.user.warn  {"message":"1 2018-08-28T02:34:16.220Z iptpeset01 ERAServer 5360 - -   {\"event_type\":\"Threat_Event\",\"ipv4\":\"172.17.18.249\",\"hostname\":\"local\",\"source_uuid\":\"e2b5397c-c61b-43e0-9ae6-f53acf0cae7b\",\"occured\":\"28-Aug-2018 02:33:47\",\"severity\":\"Warning\",\"threat_type\":\"test file\",\"threat_name\":\"Eicar\",\"scanner_id\":\"HTTP filter\",\"scan_id\":\"virlog.dat\",\"engine_version\":\"17954 (20180827)\",\"object_type\":\"file\",\"object_uri\":\"http://www.eicar.org/download/eicar.com.txt\",\"action_taken\":\"connection terminated\",\"threat_handled\":true,\"need_restart\":false,\"username\":\"yamada\",\"processname\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\"circumstances\":\"Threat was detected upon access to web.\",\"hash\":\"3395856CE81F2B7382DEE72602F798B642F14140\"}"}
Tags (1)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

maybe, ESET app can give you some ideas...
TA for Eset Remote Administrator
https://splunkbase.splunk.com/app/3867/#/overview

basically, sourcetype you can set it your self whatever convenient to you..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

dum0785
New Member

Is it impossible with Edit Source's Advanced?
Or regular expression..

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @dum0785,

Did @inventsekar answer your question? If not, could you give us some more details about your problem? In general, you have a better chance of getting your question answered the more context you provide. Thanks and happy Splunking!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

i am actually not getting your question..
when we ingest/on board log files, on the inputs.conf file, we can assign any source/sourcetype as per our convenience.. the standard log files like linux/windows may have some standards as they are common.

for log files like ESET app, if i am in your place, i would simply assign "eset" as the sourcetype and the file's fullpath would be the source.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...