Collect ESET AV logs

Supported in:

This document explains how to ingest ESET AV logs to Google Security Operations using Bindplane. The Logstash parser code extracts security event data from ESET_AV logs formatted in SYSLOG or JSON. It first normalizes the raw message, then parses it based on the identified format, mapping extracted fields to the corresponding Unified Data Model (UDM) schema for consistent representation and analysis.

Before you begin

Make sure you have the following prerequisites:

  • Google SecOps instance
  • Windows 2016 or later, or a Linux host with systemd
  • If running behind a proxy, firewall ports are open
  • Privileged access to ESET Protect

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:
    • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    • Open the file using a text editor (for example, nano, vi, or Notepad).

  2. Edit the config.yaml file as follows:

    receivers:
    udplog:
        # Replace the port and IP address as required
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds_file_path: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: 'ESET_AV'
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent

  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent

Configure Syslog for ESET PROTECT on-premises

  1. Sign in to the ESET Protect Web Console.
  2. Go to More > Settings > Advanced Settings > Syslog Server.
  3. Select the toggle next to Enable Syslog.
  4. Provide the following configuration details:
    • Host: Enter the Bindplane agent IP address
    • Port: Enter the Bindplane agent port number (514 for UDP)
    • Format: Select Syslog
    • Transport: Select UDP
    • Trace log verbosity: Select Informational
    • Export logs to Syslog toggle: Select Enable
    • Exported logs format: Select JSON
  5. Click Save.

Configure Syslog for ESET PROTECT Cloud

  1. Sign in to the ESET Protect Web Console.
  2. Go to More > Settings > Syslog Server.
  3. Select the toggle next to Enable Syslog.
  4. Provide the following configuration details:
    • Format of payload: Select JSON
    • Format of the envelope: Select Syslog
    • Minimum log Level: Select Informational
    • Event types to log: Select All event types
    • Destination IP: Enter the Bindplane agent IP address
    • Port: Enter the Bindplane agent port number (514 for UDP)
  5. Click Save.

UDM mapping table

Log Field UDM Mapping Logic
account principal.administrative_domain Extracted from the account field using grok pattern %{DATA:admin_domain}\\\\%{WORD:user_id}.
account principal.user.userid Extracted from the account field using grok pattern %{DATA:admin_domain}\\\\%{WORD:user_id}.
action security_result.action If action is Block (case-insensitive), set to BLOCK. If action is Start (case-insensitive), set to ALLOW.
action_taken security_result.action_details Directly mapped from the action_taken field.
computer_severity_score security_result.detection_fields A key-value pair is created with the key computer_severity_score and the value from the computer_severity_score field. This pair is appended to the security_result.detection_fields array.
detail security_result.description Directly mapped from the detail field.
domain principal.domain.name Directly mapped from the domain field.
eialarmid security_result.detection_fields A key-value pair is created with the key eialarmid and the value from the eialarmid field. This pair is appended to the security_result.detection_fields array.
eiconsolelink principal.url Directly mapped from the eiconsolelink field.
event metadata.description Renamed from event to event_desc and mapped to metadata.description.
event_type metadata.product_event_type Directly mapped from the event_type field.
group_name principal.group.group_display_name Directly mapped from the group_name field.
hash principal.file.sha1 Converted to lowercase. If the lowercase value matches the SHA-1 regex, mapped to principal.file.sha1.
hash principal.resource.attribute.labels A key-value pair is created with the key hash and the value from the hash field. This pair is appended to the principal.resource.attribute.labels array.
hostname principal.asset.hostname Directly mapped from the hostname field.
hostname principal.hostname Directly mapped from the hostname field.
inbound network.direction If true, set to INBOUND. If false, set to OUTBOUND.
ipv4 target.asset.ip Directly mapped from the ipv4 field if target_address is empty.
ipv4 target.ip Directly mapped from the ipv4 field if target_address is empty.
json_data Parsed as JSON to extract various fields.
message Parsed using grok to extract timestamp, host, and json_data.
need_restart additional.fields A key-value pair is created with the key need_restart and the value from the need_restart field (converted to string). This pair is appended to the additional.fields array.
os_name principal.platform If contains Window or window (case-insensitive), set to WINDOWS. If contains Linux or linux (case-insensitive), set to LINUX. If contains Mac or mac (case-insensitive), set to MAC.
os_name principal.platform_version Directly mapped from the os_name field.
process_name principal.process.file.full_path Directly mapped from the process_name field. If empty, takes the value of processname.
processname principal.process.file.full_path If process_name is empty, mapped to process_name.
protocol network.ip_protocol Converted to uppercase. If the uppercase value matches known protocols (TCP, UDP, ICMP, etc.), mapped to network.ip_protocol.
result security_result.summary Directly mapped from the result field.
rulename security_result.rule_name Directly mapped from the rulename field.
scan_id security_result.detection_fields A key-value pair is created with the key scan_id and the value from the scan_id field. This pair is appended to the security_result.detection_fields array.
scanner_id security_result.detection_fields A key-value pair is created with the key scanner_id and the value from the scanner_id field. This pair is appended to the security_result.detection_fields array.
severity security_result.severity If contains Warn or warn (case-insensitive), set to HIGH. If contains Info or info (case-insensitive), set to LOW.
severity_score security_result.detection_fields A key-value pair is created with the key severity_score and the value from the severity_score field. This pair is appended to the security_result.detection_fields array.
source_address principal.asset.ip Directly mapped from the source_address field.
source_address principal.ip Directly mapped from the source_address field.
source_port principal.port Converted to string and then to integer. Mapped to principal.port.
source_uuid metadata.product_log_id Directly mapped from the source_uuid field.
target Renamed to target1.
target_address target.asset.ip Directly mapped from the target_address field.
target_address target.ip Directly mapped from the target_address field.
target_port target.port Converted to string and then to integer. Mapped to target.port.
threat_handled security_result.detection_fields A key-value pair is created with the key threat_handled and the value from the threat_handled field (converted to string). This pair is appended to the security_result.detection_fields array.
threat_name security_result.threat_name Directly mapped from the threat_name field.
threat_type security_result.threat_id Directly mapped from the threat_type field.
time metadata.event_timestamp Used to populate metadata.event_timestamp.
username principal.user.userid Directly mapped from the username field if user_id and user are empty.
user principal.user.userid Directly mapped from the user field if user_id is empty.
metadata.event_type If source_address and target_address are not empty, set to NETWORK_CONNECTION. Else if has_user is true, set to USER_UNCATEGORIZED. Else if has_principal is true, set to STATUS_UPDATE. Otherwise, set to GENERIC_EVENT.
metadata.log_type Set to ESET_AV.
metadata.product_name Set to ESET_AV.
metadata.vendor_name Set to ESET_AV.
intermediary.hostname The value of this field is taken from the host field extracted from the log message.
principal.user.userid If the field account is not empty, the parser extracts the user ID from the account field using a grok pattern. Otherwise it checks if the field user is not empty, if so it takes its value. If both account and user are empty, it checks if the field username is not empty, if so it takes its value.

Need more help? Get answers from Community members and Google SecOps professionals.