Jump to content
Jean M

SMC Server Logging Audit Events

Recommended Posts

Hi,

I'm trying to process ESET SMC Server in a SIEM system and it seems that it provides a good feature of sending JSON Audit Events to a syslog server. What I needed to know is what audit events are logged, because I'm only receiving login and logout events in syslog:

2020-02-05T17:20:43.724Z ip-10-xxx.xxx ERAServer[2286] <U+FEFF>{"event_type":"Audit_Event","ipv4":"10.xxx","hostname":"ip-10-XXX","source_uuid":"976e2311-41fa-4e38-88ad-5af43c63bab6","occured":"05-Feb-2020 17:20:43","severity":"Information","domain":"Native user","action":"Login attempt","target":"USERNAME","detail":"Authenticating native user 'USERNAME'.","user":"","result":"Success"}#015#012

 

image.thumb.png.763fc34c199727cadbd02daf0de1ab16.png

Thanks!

Share this post


Link to post
Share on other sites

If I recall correctly, just mentioned login/logout audit events are exported for both native and domain users. What details would you be interested to see in SIEM? Just authentication details are exported as audit log might contains quite a lot of details that might not be interesting, especially when executed automatically, without user's interaction.

Share this post


Link to post
Share on other sites

Hi Martin,

We're looking for actions executed by the native users in ESET SMC, being one of the most important the Client Tasks, of type Run Command. But, overall other actions would be useful also, for auditing purposes. The way the information is shown in the documentation it made me think these syslog audit events would match what we would get by Audit Reports.

Thanks!

Share this post


Link to post
Share on other sites

Could someone confirm what are the syslog JSON logged Audit Events? if it's just login and logout and if there's a way to log more than that.

Share this post


Link to post
Share on other sites
7 hours ago, Jean M said:

Could someone confirm what are the syslog JSON logged Audit Events? if it's just login and logout and if there's a way to log more than that.

I have verified my previous statement and it was true -> it is not possible to export any other audit events.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...