Jump to content

Jean M

Members
  • Content Count

    42
  • Joined

  • Days Won

    1

Posts posted by Jean M


  1. Hi,

    I've enabled syslog in ESET SMC (v7.1) and I'm able to see logs generated in syslog daemon. The configuration is the following:

    image.png.cf1d086919adb5de1b7b6cf654f288fa.png

    image.png.9c700754ef37decde8bc1981f9875d63.png

    However, the message of syslog contains non-printable characters at beginning and end:

    # xxd /var/log/eset/RemoteAdministrator/Server/ERAServer.log
    00000000: efbb bf7b 2265 7665 6e74 5f74 7970 6522  ...{"event_type"
    00000010: 3a22 4175 6469 745f 4576 656e 7422 2c22  :"Audit_Event","
    00000020: 6970 7634 223a 2231 302e 3235 302e 312e  ipv4":"10.100.0.
    ...
    00000160: 7222 3a22 222c 2272 6573 756c 7422 3a22  r":"","result":"
    00000170: 5375 6363 6573 7322 7d23 3031 3523 3031  Success"}#015#01
    00000180: 320a                                     2.

    I know that the last two were escaped to #015 and #012 by the syslog daemon (rsylogd) automatically.

    Does anyone know if this is expected? I tried both formats BSD and Syslog and they seem to give the same result.

    Thanks!


  2. Hi,

    Is it possible to get computer information like logged user (as shown when we open computer details in Web Console) from the ESET API?

    I'm able to get the listing of computers with Era.Common.NetworkMessage.ConsoleApi.Groups.RpcExportComputersRequest but this only returns a listing of computer names.

    Thanks,
    Jean M


  3. Hi,

    We'd like to experiment using this Rogue Detector server and we'd need to know more information for making the deployment correct.

    There's little documentation on this server in the documentation, other than the diagram showing it needs to be on the network.

    Does anyone know if:

    - Is server monitoring DHCP requests? and anything else?

    - Will it listen to all interfaces or it's configurable?

    Thanks!
    Jean M


  4. Hi,

    Is this necessary in ESET agents for ESET SMC to work? I've read in the documentation that it allows client tasks to be executed as soon as possible, can someone confirm if this is truly necessary or if it can be disabled?

    Is there a place where we can see the information sent to or contacts done to EPNS?

    The idea of having an on-prem solution was that it didn't had to rely on third party services.

    Thanks for any feedback!


  5. Hi Martin,

    We're looking for actions executed by the native users in ESET SMC, being one of the most important the Client Tasks, of type Run Command. But, overall other actions would be useful also, for auditing purposes. The way the information is shown in the documentation it made me think these syslog audit events would match what we would get by Audit Reports.

    Thanks!


  6. Hi,

    I'm trying to process ESET SMC Server in a SIEM system and it seems that it provides a good feature of sending JSON Audit Events to a syslog server. What I needed to know is what audit events are logged, because I'm only receiving login and logout events in syslog:

    2020-02-05T17:20:43.724Z ip-10-xxx.xxx ERAServer[2286] <U+FEFF>{"event_type":"Audit_Event","ipv4":"10.xxx","hostname":"ip-10-XXX","source_uuid":"976e2311-41fa-4e38-88ad-5af43c63bab6","occured":"05-Feb-2020 17:20:43","severity":"Information","domain":"Native user","action":"Login attempt","target":"USERNAME","detail":"Authenticating native user 'USERNAME'.","user":"","result":"Success"}#015#012

     

    image.thumb.png.763fc34c199727cadbd02daf0de1ab16.png

    Thanks!

×
×
  • Create New...