cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 7

Datasource configuration

dear all i am facing a big 2 problem.

1. How can i troble shoot wheter event collector can access to kaspersky log.

2 How could i add data source for nod32[ESET]

6 Replies
Level 9
Report Inappropriate Content
Message 2 of 7

Re: Datasource configuration

hon,

  Not sure about 1 .   You should maybe explain in some detail on how you configured, any errors , or what you are expecttng to happen and is not???  just saying it's not working can lead to lots of assumptions.

If I'm reading it right, your are using the ESET A/V product.  For this,  I created custom parser rules because McAfee does not support ESET ( after working with the product I know why.... ESET is very configurable with regards to the syslog format ).

Cheers,

  -B

Level 9
Report Inappropriate Content
Message 3 of 7

Re: Datasource configuration

hi rcavey

If you dont mid could i ask for the parser and how can i get log from eset. could this product can use syslog or i need to share the path of the log file

Level 9
Report Inappropriate Content
Message 4 of 7

Re: Datasource configuration

ESET is using syslog to relay the information and I can give you the regex for the ESET parser BUT  the syslog format is not the ESET default and has to be in the needed format.

It might be a few days before I can post back but will when I can.

Level 9
Report Inappropriate Content
Message 5 of 7

Re: Datasource configuration

ook thank you  so much

Level 9
Report Inappropriate Content
Message 6 of 7

Re: Datasource configuration

hon,


I would highly recommend reading the Nitro document on creating custom parsers(link below) *and* you gather actual syslog entries to copy/paste into the Sample Log Data box to confirm your regex is correct.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24926/en_US/...



Example MalwareDetected setup:

ESET syslog format --->    ESET: MalwareDetected hostname: %CCN% timestamp: %DO% filename: %FN% action: %AT%

Nitro regex for custom parser:

<\d+>ESET\x3a\sMalwareDetected\shostname\x3a\s([A-Za-z0-9-]+)\s+\w+\x3a\s+\d+\s+\w+\s+(filename|directories)\x3a\s(.*)\saction\x3a\s(.*)

Example ScanSummary setup -->   ESET: ScanSummary hostname: %CCN% timestamp: %DO% directories: %DESC% MalwareDetections=%IN%

Nitro regex for custom parser:

NOTE: This only creates events in Nitro *if* MalwareDetections > 0 .. otherwise you get no events:

<\d+>(ESET\x3a\sScanSummary)\shostname\x3a\s([A-Za-z0-9-]+)\s+\w+\x3a\s+\d+\s+\w+\s+(directories|filename)\x3a(.*)MalwareDetections\x3d([1-9][0-9]?[0-9]*)

Cheers,

  -B

Level 9
Report Inappropriate Content
Message 7 of 7

Re: Datasource configuration

Thank you so much i will try it .

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community