Jump to content

ESET Endpoint Antivirus 5.2.26 ..... no logging at all


Recommended Posts

Hi all,


 


I am involved in a project to integrate ESET logs into a SIEM tool (OSSIM).


 


I installed the ERA Console and I saw that the ESET can be configured to do the logging to the OS... so I did ... 


I also configured the clients to allow remote administration as I plan to collect all the events in the server and log into the OS, windows 2003.


 


I went to the option Tools --> Server options --> Logging 


 


After all the settings, in the console I see the clients but I dont see much event in the windows events...(I set level 5 and above in everything).


I run a full scan and two virus were detected... someone could tell me where the events of those infections should be?


I checked in the Application events and Security events and nothing appears over there... I am running win2003R2.


 


Which event number are supposed to be for an infection? I only see a few events in the Application events subfolder regarding configuration changes in the console...the events 500 and 503, nothing else about the virus detections...


 


thanks a lot.


jose


Edited by jacortijo
Link to comment
Share on other sites

  • ESET Moderators

Hello Jose,

 

I enabled logging (with default log level) to the Event log on my VM and tried to download eicar anti-malware testfile.

It successfully logged entry with level warning (Event ID 251) to the Application event log:

 

"The following information was included with the event: 

 
Scanner: HTTP filter
Object type: file
Object: hXXp://www.eicar.org/download/eicar.com
Threat: Eicar test file
Action: connection terminated - quarantined
User: Randziak_Win7_B\Peter
Information: Threat was detected upon access to web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe."
 
P.R.
Link to comment
Share on other sites

  • 4 weeks later...

Hi Peter,

sorry for my late reply, I was involved in a project and I had to put aside this issue.

 

Our server is a Win2003R2 with the 5.2.26 version of the AV. We had to disable the real-time analysis due to compatibility issues with some software we need to use.

 

My goal is that all workstations report to the ERA about infections they might have and then, ERA "forward" those events to the windows event system or syslog server, so the SIEM tool can collect them.

 

In any case, I just downloaded the eicar file and put it in the desktop in the server. After that I run manually an analysis and ESET found it and deleted it (put it in quarantine). I checked then the event viewer and I couldn't find any event related with the infection.

any idea what can be the reason ? Nothing appeared in the Threat log in ERA either.

 

I attach a screen-shot that shows ERA properly logging  the infection which occurs in Clients but doesn't show infection in the server. In any case, none of these infections are reflected in the Windows Event Viewer (Application) or even in a syslog server that also installed (KIWI).

 

In summary:

- Real-time AV in Client detects the virus and notify ERA.

- ERA reflects in the "Threat Log" all the detections occurred in clients.

- ERA Threat Log doesn't show infections occurred in the server.

- None of the threat logs in ERA are copied as a Windows Event

- None of the threat logs are sent to the syslog server

 

any suggestion?

 

Thanks a lot in advance.

Jose

post-7275-0-83492500-1434392553_thumb.png

post-7275-0-29808000-1434406171_thumb.png

Edited by jacortijo
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...