Getting Data In

The precise sourcetype setting when importing ESET logs

dum0785
New Member

I currently use the ESET Remote Administrator.
However, I can not divide log fields with sourcetype.
Please tell me the precise sourcetype setting when importing ESET logs.

2018-08-28T10:59:14+09:00   eset.user.info  {"message":"1 2018-08-28T01:59:14.307Z iptpeset01 ERAServer 5360 - -   {\"event_type\":\"Audit_Event\",\"ipv4\":\"172.18.1.30\",\"hostname\":\"eset01\",\"source_uuid\":\"014b605e-aede-40a3-b15e-c2bc1b3509a5\",\"occured\":\"28-Aug-2018 01:59:14\",\"severity\":\"Information\",\"domain\":\"Native user\",\"action\":\"Logout\",\"target\":\"Administrator\",\"detail\":\"Logging out native user 'Administrator'.\",\"user\":\"00000000-0000-0000-7002-000000000002\",\"result\":\"Success\"}"}
2018-08-28T11:34:16+09:00   eset.user.warn  {"message":"1 2018-08-28T02:34:16.220Z iptpeset01 ERAServer 5360 - -   {\"event_type\":\"Threat_Event\",\"ipv4\":\"172.17.18.249\",\"hostname\":\"local\",\"source_uuid\":\"e2b5397c-c61b-43e0-9ae6-f53acf0cae7b\",\"occured\":\"28-Aug-2018 02:33:47\",\"severity\":\"Warning\",\"threat_type\":\"test file\",\"threat_name\":\"Eicar\",\"scanner_id\":\"HTTP filter\",\"scan_id\":\"virlog.dat\",\"engine_version\":\"17954 (20180827)\",\"object_type\":\"file\",\"object_uri\":\"http://www.eicar.org/download/eicar.com.txt\",\"action_taken\":\"connection terminated\",\"threat_handled\":true,\"need_restart\":false,\"username\":\"yamada\",\"processname\":\"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\"circumstances\":\"Threat was detected upon access to web.\",\"hash\":\"3395856CE81F2B7382DEE72602F798B642F14140\"}"}
Tags (1)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

maybe, ESET app can give you some ideas...
TA for Eset Remote Administrator
https://splunkbase.splunk.com/app/3867/#/overview

basically, sourcetype you can set it your self whatever convenient to you..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

dum0785
New Member

Is it impossible with Edit Source's Advanced?
Or regular expression..

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @dum0785,

Did @inventsekar answer your question? If not, could you give us some more details about your problem? In general, you have a better chance of getting your question answered the more context you provide. Thanks and happy Splunking!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

i am actually not getting your question..
when we ingest/on board log files, on the inputs.conf file, we can assign any source/sourcetype as per our convenience.. the standard log files like linux/windows may have some standards as they are common.

for log files like ESET app, if i am in your place, i would simply assign "eset" as the sourcetype and the file's fullpath would be the source.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...