jacortijo 0 Posted May 18, 2015 Share Posted May 18, 2015 (edited) Hi all, I am involved in a project to integrate ESET logs into a SIEM tool (OSSIM). I installed the ERA Console and I saw that the ESET can be configured to do the logging to the OS... so I did ... I also configured the clients to allow remote administration as I plan to collect all the events in the server and log into the OS, windows 2003. I went to the option Tools --> Server options --> Logging After all the settings, in the console I see the clients but I dont see much event in the windows events...(I set level 5 and above in everything). I run a full scan and two virus were detected... someone could tell me where the events of those infections should be? I checked in the Application events and Security events and nothing appears over there... I am running win2003R2. Which event number are supposed to be for an infection? I only see a few events in the Application events subfolder regarding configuration changes in the console...the events 500 and 503, nothing else about the virus detections... thanks a lot. jose Edited May 19, 2015 by jacortijo Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted May 21, 2015 ESET Moderators Share Posted May 21, 2015 Hello Jose, I enabled logging (with default log level) to the Event log on my VM and tried to download eicar anti-malware testfile. It successfully logged entry with level warning (Event ID 251) to the Application event log: "The following information was included with the event: Scanner: HTTP filter Object type: file Object: hXXp://www.eicar.org/download/eicar.com Threat: Eicar test file Action: connection terminated - quarantined User: Randziak_Win7_B\Peter Information: Threat was detected upon access to web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe." P.R. Link to comment Share on other sites More sharing options...
jacortijo 0 Posted June 15, 2015 Author Share Posted June 15, 2015 (edited) Hi Peter, sorry for my late reply, I was involved in a project and I had to put aside this issue. Our server is a Win2003R2 with the 5.2.26 version of the AV. We had to disable the real-time analysis due to compatibility issues with some software we need to use. My goal is that all workstations report to the ERA about infections they might have and then, ERA "forward" those events to the windows event system or syslog server, so the SIEM tool can collect them. In any case, I just downloaded the eicar file and put it in the desktop in the server. After that I run manually an analysis and ESET found it and deleted it (put it in quarantine). I checked then the event viewer and I couldn't find any event related with the infection. any idea what can be the reason ? Nothing appeared in the Threat log in ERA either. I attach a screen-shot that shows ERA properly logging the infection which occurs in Clients but doesn't show infection in the server. In any case, none of these infections are reflected in the Windows Event Viewer (Application) or even in a syslog server that also installed (KIWI). In summary: - Real-time AV in Client detects the virus and notify ERA. - ERA reflects in the "Threat Log" all the detections occurred in clients. - ERA Threat Log doesn't show infections occurred in the server. - None of the threat logs in ERA are copied as a Windows Event - None of the threat logs are sent to the syslog server any suggestion? Thanks a lot in advance. Jose Edited June 15, 2015 by jacortijo Link to comment Share on other sites More sharing options...
Recommended Posts