Documentation Center
AlienVault® USM Anywhere™

ESET Antivirus

When you configure ESET integration to send log data to USM Anywhere, you can use the ESET plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor ESET
Device type Antivirus
Connection type Syslog

Integrating ESET Antivirus

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure ESET to send log data to USM Anywhere

  1. After logging into the ESET Remote Administrator (ERA) web console, in the left navigation bar, select the Admin icon (), then Server Settings > ADVANCED SETTINGS.

  2. In the Syslog Server section, configure the following

    1. Use Syslog server — Toggle the slider to display a check mark.
    2. Host — IP address of the USM Anywhere Sensor.
    3. Port — 514
    4. Format (in ESET version 6.5 and later) — BSD
  3. In the Logging section, toggle the Export logs to Syslog slider to display a check mark.
  4. Click SAVE.

Format and Meaning of Exported Event Attributes

ESET Remote Administrator can export certain logs/events and send them to the USM Anywhere Sensor. Events are generated on a managed client computer running ESET security product (for example, ESET Endpoint Security) and consist of events like the following:

  • ThreatEvent
  • Firewall Aggregated Event
  • HIPS Aggregated Event

Any Security Information and Event Management (SIEM) solution capable of importing events from a Syslog server can process these events. They are then written to the designated USM Anywhere Sensor.

To view JSON-formatted event messages in ESET Remote Administrator

  • After you enable the Syslog server, go to Admin > Server Settings > Syslog Server > Logging and enable Export logs to Syslog.

    Event messages are formatted as JavaScript Object Notation (JSON) objects with some mandatory and optional keys.

    The table illustrates the format and meaning of all exported events. Each exported even contains the following:

    Attribute format
    event_type String Optional? Exported Event Type
    ipv4 string IPv4 address of the computer generating the event.
    ipv6 string IPv6 address of the computer generating the event.
    source_uuid string   UUID of the computer generating the event.
    occurred string   UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S
    severity string  

    Severity of the event. Possible values (least severe - most severe):

    • Information
    • Notice
    • Warning
    • Error
    • Critical
    • Fatal

Firewall Aggregated Event

Firewall aggregated events
event_type string Optional? Event Name
source_address Address of the event source
source_address_type Type of address of the event source
source_port integer Port of the event source
target_address Address of the event destination
target_address_type Type of address of the event destination
target_port Integer Port of the event destination
protocol Protocol
account Name of the user account associated with the event
process_name Name of the process associated with the event
rule_name Rule name
rule_id Rule ID
inbound Boolean Whether or not the connection was inbound
threat_name Name of the threat
aggregate_count Integer Number of identical messages generated by the endpoint within two consecutive replications between ERA Server and managing ERA Agent

HIPS Aggregated Events

The plugin filters events from the host-based Intrusion Prevention System based on severity before sending them as Syslog messages. The plugin only sends events with severity levels Error, Critical, and Fatal to Syslog.

HIPS-specific attributes
Application string Optional? Application Name
operation Operation
target Target
action Action
rule_name Rule name
rule_id Rule ID
aggregate_count Integer Number of identical messages generated by the endpoint within two consecutive replications between ERA Server and managing ERA Agent

Plugin Enablement

The ESET plugin automatically processes all messages whose Syslog tag matches the value "ERAServer".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application
  • customfield_1
  • customfield_10
  • customfield_12
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_6
  • customfield_7
  • customfield_8
  • customfield_9
  • customheader_10
  • customheader_12
  • customheader_2
  • customheader_3
  • customheader_4
  • customheader_8
  • destination_address
  • destination_port
  • device_event_category
  • event_description
  • event_name
  • event_severity
  • file_name
  • rep_device_address
  • rep_device_address_6
  • rep_device_rule_id
  • source_address
  • source_port
  • source_process
  • source_username
  • timestamp_occured
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://help.eset.com/era_admin/63/en-US/index.html?admin_server_settings_export_to_syslog.htm

https://help.eset.com/era_admin/65/en-US/admin_server_settings_syslog.html