Jump to content

jacortijo

Members
  • Posts

    11
  • Joined

  • Last visited

Everything posted by jacortijo

  1. Yes , I used syslog server and it worked. The option to log into the Os event logger is not working neither in Win2003 nor W2008. thanks.
  2. Hi Marcos, I know... those settings are in the Tools -->Server Options-->Logging tab and I already checked both to "Log to OS application log".... Then in the Thread log there is a check called Forwarding and I also checked it. After doing both things, visiting the eicar site to test the detection... it doesn't generate any specific event log in the OS application log... see the attachments. Thanks. Jose
  3. Hi, I am trying to forward the logs to the OS event log and I cannot do it. I am using a Win2008 server and a client Windows 7. Once activating the forwarding, I only see two ERA_SERVER events 500 and 503. The related to the infection looks seems to be the 503. See below. Does anyone knows what is going on? some that I need to install? the event says that some component is missing in the computer.... Thanks in advance. Jose ----------------------- Nombre de registro:Application Origen: ERA_SERVER Fecha: 22/06/2015 7:59:55 Id. del evento:503 Categoría de la tarea:Ninguno Nivel: Información Palabras clave:Clásico Usuario: No disponible Equipo: ALC-TEST.finalin.es Descripción: No se encuentra la descripción del id. de evento 503 en el origen ERA_SERVER. El componente que provoca este evento no está instalado en el equipo local, o bien la instalación está dañada. Puede instalar o reparar el componente en el equipo local. Si el evento se originó en otro equipo, la información que se va a mostrar tenía que haberse guardado con el evento. Se incluyó la siguiente información con el evento: [2015-06-22 07:59:55.898] V3 [000000000006] [00080023] <notification> BEFORE: Active: 1 Name: #!$Forward Threat Log$!# Type: 7 Description: Pre-defined rule Priority: 4 Trigger Date: 0000-00-00 00:00:00 Last Triggered: 0000-00-00 00:00:00 El recurso de mensaje está presente, pero el mensaje no se encuentra en la tabla de cadenas o mensajes XML de evento: <Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="ERA_SERVER" /> <EventID Qualifiers="16384">503</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2015-06-22T05:59:55.000Z" /> <EventRecordID>2261</EventRecordID> <Channel>Application</Channel> <Computer>ALC-TEST.finalin.es</Computer> <Security /> </System> <EventData> <Data>[2015-06-22 07:59:55.898] V3 [000000000006] [00080023] <notification> BEFORE: Active: 1 Name: #!$Forward Threat Log$!# Type: 7 Description: Pre-defined rule Priority: 4 Trigger Date: 0000-00-00 00:00:00 Last Triggered: 0000-00-00 00:00:00 </Data> </EventData> </Event>
  4. Hi, I installed ERA Console v.5 in a Win2008 server and I also install the antivirus client 5.0.2237. I also configured in the client the remote administration to point out to the server. The client now appears in the console but it shows an error. I see the toolbar icon in red and it shows the message "Problematic clients found". Also the client appears in red in the console. see attchments. Could someone tell me what is happenning? Thanks a lot. Jose
  5. Hi Marcos, I couldnt find any record in the Scan Log, is that Log what you called the "On-demand Scanner Log"? (see attachement) I knew about the Threat Log for the realtime detections... but my need is to find a way to reflect those logs in the host Operating System Event Log... or to forward to a SysLog server. I see that some internal events are propagated but not the detections... is it a matter of the version I am using? 5.2.26? is the version 6 more complete in these aspects? Thanks a lot for the reply. Jose
  6. Hi all, Our server is a Win2003R2 with the 5.2.26 version of the AV with 11 client licenses. Unfortunately we had to disable the real-time analysis in the server due to compatibility issues with some software we need to use, the RT is enabled in all the clients. My goal is that all workstations report to the ERA about infections they might have and then, ERA "forward" those events to the windows event system or syslog server, so a SIEM tool can collect them and correlate them. I just downloaded the eicar.com test file and I put it on the desktop in the server. After that I run an analysis and ESET found it and deleted it (put it in quarantine). I checked then the event viewer and I couldn't find any event related with the infection. Nothing appeared in the Threat log in ERA either. I attached a screen-shot that shows ERA properly logging the same infection tested in the clients, BUT doesn't show the infection detected in the server. In any case, none of these infections are reflected in the Windows Event Viewer (Application) or even in a syslog server which I also installed locally in the server(KIWI). In summary: - Real-time AV in Client detects the virus and notify ERA correctly. - ERA reflects in the "Threat Log" all the detections occurred in clients only. - ERA Threat Log doesn't show infections occurred in the server. - None of the threat logs in ERA are copied as a Windows Event - None of the threat logs are sent to the syslog server any suggestion? I must be missing something important... :? Thanks a lot in advance. Jose
  7. Hi Peter, sorry for my late reply, I was involved in a project and I had to put aside this issue. Our server is a Win2003R2 with the 5.2.26 version of the AV. We had to disable the real-time analysis due to compatibility issues with some software we need to use. My goal is that all workstations report to the ERA about infections they might have and then, ERA "forward" those events to the windows event system or syslog server, so the SIEM tool can collect them. In any case, I just downloaded the eicar file and put it in the desktop in the server. After that I run manually an analysis and ESET found it and deleted it (put it in quarantine). I checked then the event viewer and I couldn't find any event related with the infection. any idea what can be the reason ? Nothing appeared in the Threat log in ERA either. I attach a screen-shot that shows ERA properly logging the infection which occurs in Clients but doesn't show infection in the server. In any case, none of these infections are reflected in the Windows Event Viewer (Application) or even in a syslog server that also installed (KIWI). In summary: - Real-time AV in Client detects the virus and notify ERA. - ERA reflects in the "Threat Log" all the detections occurred in clients. - ERA Threat Log doesn't show infections occurred in the server. - None of the threat logs in ERA are copied as a Windows Event - None of the threat logs are sent to the syslog server any suggestion? Thanks a lot in advance. Jose
  8. Hi all, I am involved in a project to integrate ESET logs into a SIEM tool (OSSIM). I installed the ERA Console and I saw that the ESET can be configured to do the logging to the OS... so I did ... I also configured the clients to allow remote administration as I plan to collect all the events in the server and log into the OS, windows 2003. I went to the option Tools --> Server options --> Logging After all the settings, in the console I see the clients but I dont see much event in the windows events...(I set level 5 and above in everything). I run a full scan and two virus were detected... someone could tell me where the events of those infections should be? I checked in the Application events and Security events and nothing appears over there... I am running win2003R2. Which event number are supposed to be for an infection? I only see a few events in the Application events subfolder regarding configuration changes in the console...the events 500 and 503, nothing else about the virus detections... thanks a lot. jose
  9. Hi all, I am involved in a project to integrate ESET logs into a SIEM tool (OSSIM). I installed the ERA Console and I saw that the ESET can be configured to do the logging to the OS... so I did ... I also configured the clients to allow remote administration as I plan to collect all the events in the server and log into the OS, windows 2003. I went to the option Tools --> Server options --> Logging After all the settings, in the console I see the clients but I dont see much event in the windows events...(I set level 5 and above in everything). I run a full scan and two virus were detected... someone could tell me where the events of those infections should be? I checked in the Application events and Security events and nothing appears over there... I am running win2003R2. Which event number are supposed to be for an infection? I only see a few events in the Application events subfolder regarding configuration changes in the console...the events 500 and 503, nothing else about the virus detections... thanks a lot. jose
  10. Thanks a lot Marcos for the quick reply. Unfortunately my boss is putting a lot of pressure to integrate the present antivirus solution in the SIEM solution... do you know if there is any way to upgrade our license to the business solution with a low investement? he is suggesting me to move to another solution... thanks once more. Jose
  11. Good afternoon, recently I start the deployment and configuration of a SIEM solution at work. I started with an open source solution called OSSIM. They do have plugin for several antivirus solution but not for ESET so I decided to create a plugin myself. In my company they use the version ESET Endpoint Antivirus. There is a Log tool that allow the user to see the different events that are happening. I would need to connect that with OSSIM somehow. Does someone know where those logs are stored? are they plain texts somewhere? any info is welcome... thanks a lot in advance. Jose
×
×
  • Create New...