Jump to content

Archived

This topic is now archived and is closed to further replies.

Jean M

SMC Server Logging Audit Events

Recommended Posts

Hi,

I'm trying to process ESET SMC Server in a SIEM system and it seems that it provides a good feature of sending JSON Audit Events to a syslog server. What I needed to know is what audit events are logged, because I'm only receiving login and logout events in syslog:

2020-02-05T17:20:43.724Z ip-10-xxx.xxx ERAServer[2286] <U+FEFF>{"event_type":"Audit_Event","ipv4":"10.xxx","hostname":"ip-10-XXX","source_uuid":"976e2311-41fa-4e38-88ad-5af43c63bab6","occured":"05-Feb-2020 17:20:43","severity":"Information","domain":"Native user","action":"Login attempt","target":"USERNAME","detail":"Authenticating native user 'USERNAME'.","user":"","result":"Success"}#015#012

 

image.thumb.png.763fc34c199727cadbd02daf0de1ab16.png

Thanks!

Share this post


Link to post
Share on other sites

If I recall correctly, just mentioned login/logout audit events are exported for both native and domain users. What details would you be interested to see in SIEM? Just authentication details are exported as audit log might contains quite a lot of details that might not be interesting, especially when executed automatically, without user's interaction.

Share this post


Link to post
Share on other sites

Hi Martin,

We're looking for actions executed by the native users in ESET SMC, being one of the most important the Client Tasks, of type Run Command. But, overall other actions would be useful also, for auditing purposes. The way the information is shown in the documentation it made me think these syslog audit events would match what we would get by Audit Reports.

Thanks!

Share this post


Link to post
Share on other sites

Could someone confirm what are the syslog JSON logged Audit Events? if it's just login and logout and if there's a way to log more than that.

Share this post


Link to post
Share on other sites
7 hours ago, Jean M said:

Could someone confirm what are the syslog JSON logged Audit Events? if it's just login and logout and if there's a way to log more than that.

I have verified my previous statement and it was true -> it is not possible to export any other audit events.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...