Events exported to JSON format
JSON is a lightweight format for data exchange. It is built on collection of name / value pairs and an ordered list of values.
Exported events
This section contains details on the format and meaning of attributes of all exported events. The event message is in the form of a JSON object with some mandatory and some optional keys. Each one exported event will contain the following key:
event_type |
string |
|
Type of exported events: Threat_Event, FirewallAggregated_Event, HipsAggregated_Event, Audit_Event, EnterpriseInspectorAlert_Event, BlockedFiles_Event, FilteredWebsites_Event. |
|---|---|---|---|
ipv4 |
string |
optional |
IPv4 address of the computer generating the event. |
ipv6 |
string |
optional |
IPv6 address of the computer generating the event. |
source_uuid |
string |
|
UUID of the computer generating the event. |
occurred |
string |
|
UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S |
severity |
string |
|
Severity of the event. Possible values (form least severe to most severe) are: Information Notice Warning Error CriticalFatal |
Custom keys according to event_type:
1. ThreatEvent
All Detection events generated by managed endpoints will be forwarded to Syslog. Detection event specific key:
threat_type |
string |
optional |
Type of detection |
|---|---|---|---|
threat_name |
string |
optional |
Name of detection |
threat_flags |
string |
optional |
Detection related flags |
scanner_id |
string |
optional |
Scanner ID |
scan_id |
string |
optional |
Scan ID |
engine_version |
string |
optional |
Version of the scanning engine |
object_type |
string |
optional |
Type of object related to this event |
object_uri |
string |
optional |
Object URI |
action_taken |
string |
optional |
Action taken by the Endpoint |
action_error |
string |
optional |
Error message in case the "action" was not successful |
threat_handled |
bool |
optional |
Indicates whether or not the detection was handled |
need_restart |
bool |
optional |
Whether or not the restart is needed |
username |
string |
optional |
Name of the user account associated with the event |
processname |
string |
optional |
Name of the process associated with the event |
circumstances |
string |
optional |
Short description of what caused the event |
hash |
string |
optional |
SHA1 hash of the (detection) data stream. |
string |
optional |
Time and date when the detection was found for the first time at that machine. ESET PROTECT employs different date-time formats for the firstseen attribute (and any other date-time attribute) depending on log output format (JSON or LEEF): •JSON format: "%d-%b-%Y %H:%M:%S" •LEEF format: "%b %d %Y %H:%M:%S" |
2. FirewallAggregated_Event
Event logs generated by ESET Personal Firewall are aggregated by the managing ESET Management Agent to avoid wasting bandwidth during ESET Management Agent/ ESET PROTECT Server replication. Firewall event specific key:
event |
string |
optional |
Event name |
|---|---|---|---|
source_address |
string |
optional |
Address of the event source |
source_address_type |
string |
optional |
Type of address of the event source |
source_port |
number |
optional |
Port of the event source |
target_address |
string |
optional |
Address of the event destination |
target_address_type |
string |
optional |
Type of address of the event destination |
target_port |
number |
optional |
Port of the event destination |
protocol |
string |
optional |
Protocol |
account |
string |
optional |
Name of the user account associated with the event |
process_name |
string |
optional |
Name of the process associated with the event |
rule_name |
string |
optional |
Rule name |
rule_id |
string |
optional |
Rule ID |
inbound |
bool |
optional |
Whether or not the connection was inbound |
threat_name |
string |
optional |
Name of the detection |
aggregate_count |
number |
optional |
How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent |
3. HIPSAggregated_Event
Events from Host-based Intrusion Prevention System are filtered on severity before they are sent further as Syslog messages. Only events with severity levels Error, Critical and Fatal are sent to Syslog. HIPS specific attributes are as follows:
application |
string |
optional |
Application name |
|---|---|---|---|
operation |
string |
optional |
Operation |
target |
string |
optional |
Target |
action |
string |
optional |
Action |
rule_name |
string |
optional |
Rule name |
rule_id |
string |
optional |
Rule ID |
aggregate_count |
number |
optional |
How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent |
4. Audit_Event
ESET PROTECT forwards Server's internal audit log messages to Syslog. Specific attributes are as follows:
domain |
string |
optional |
Audit log domain |
|---|---|---|---|
action |
string |
optional |
Action taking place |
target |
string |
optional |
Target action is operating on |
detail |
string |
optional |
Detailed description of the action |
user |
string |
optional |
Security user involved |
result |
string |
optional |
Result of the action |
5. FilteredWebsites_Event
ESET PROTECT forwards the filtered websites (Web Protection detections) to Syslog. Specific attributes are as follows:
hostname |
string |
optional |
Hostname of the computer with the event |
processname |
string |
optional |
Name of the process associated with the event |
username |
string |
optional |
Name of the user account associated with the event |
resolved |
bool |
optional |
Indicates whether or not the event was handled |
hash |
string |
optional |
SHA1 hash of the filtered object |
event |
string |
optional |
Event type |
rule_id |
string |
optional |
Rule ID |
action_taken |
string |
optional |
Action taken |
scanner_id |
string |
optional |
Scanner ID |
object_uri |
string |
optional |
Object URI |
target_address |
string |
optional |
Address of the event destination |
target_address_type |
string |
optional |
Type of address of the event destination (25769803777 = IPv4; 25769803778 = IPv6) |
6. EnterpriseInspectorAlert_Event
ESET PROTECT forwards ESET Enterprise Inspector alarms to Syslog. Specific attributes are as follows:
processname |
string |
optional |
Name of the process causing this alarm |
|---|---|---|---|
username |
string |
optional |
Owner of the process |
rulename |
string |
optional |
Name of the rule triggering this alarm |
count |
number |
optional |
Number of alerts of this type generated since last alarm |
hash |
string |
optional |
SHA1 hash of the alarm |
eiconsolelink |
string |
optional |
Link to the alarm in ESET Enterprise Inspector console |
eialarmid |
string |
optional |
ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$) |
7. BlockedFiles_Event
ESET PROTECT forwards ESET Enterprise Inspector Blocked Files to Syslog. Specific attributes are as follows:
hostname |
string |
optional |
Hostname of the computer with the event |
processname |
string |
optional |
Name of the process associated with the event |
username |
string |
optional |
Name of the user account associated with the event |
resolved |
bool |
optional |
Indicates whether or not the blocked file was handled |
hash |
string |
optional |
SHA1 hash of the blocked file |
object_uri |
string |
optional |
Object URI |
action |
string |
optional |
Action taken |
firstseen |
string |
optional |
Time and date when the detection was found for the first time at that machine (date and time format). |
cause |
string |
optional |
|
description |
string |
optional |
Description of the blocked file |