SMC Server Logging Audit Events

[Jean M 7]

Hi,

I'm trying to process ESET SMC Server in a SIEM system and it seems that it provides a good feature of sending JSON Audit Events to a syslog server. What I needed to know is what audit events are logged, because I'm only receiving login and logout events in syslog:

2020-02-05T17:20:43.724Z ip-10-xxx.xxx ERAServer[2286] <U+FEFF>{"event_type":"Audit_Event","ipv4":"10.xxx","hostname":"ip-10-XXX","source_uuid":"976e2311-41fa-4e38-88ad-5af43c63bab6","occured":"05-Feb-2020 17:20:43","severity":"Information","domain":"Native user","action":"Login attempt","target":"USERNAME","detail":"Authenticating native user 'USERNAME'.","user":"","result":"Success"}#015#012

 

Thanks!

[MartinK 375]

If I recall correctly, just mentioned login/logout audit events are exported for both native and domain users. What details would you be interested to see in SIEM? Just authentication details are exported as audit log might contains quite a lot of details that might not be interesting, especially when executed automatically, without user's interaction.

[Jean M 7]

Hi Martin,

We're looking for actions executed by the native users in ESET SMC, being one of the most important the Client Tasks, of type Run Command. But, overall other actions would be useful also, for auditing purposes. The way the information is shown in the documentation it made me think these syslog audit events would match what we would get by Audit Reports.

Thanks!

[Jean M 7]

Could someone confirm what are the syslog JSON logged Audit Events? if it's just login and logout and if there's a way to log more than that.

[MartinK 375]

7 hours ago, Jean M said:

Could someone confirm what are the syslog JSON logged Audit Events? if it's just login and logout and if there's a way to log more than that.

I have verified my previous statement and it was true -> it is not possible to export any other audit events.