Events exported to JSON format

JSON is a lightweight format for data exchange. It is built on collection of name / value pairs and an ordered list of values.

Exported events

This section contains details on the format and meaning of attributes of all exported events. The event message is in the form of a JSON object with some mandatory and some optional keys. Each one exported event will contain the following key:

event_type	string		Type of exported events: •Threat_Event (Antivirus detections) •FirewallAggregated_Event ( Firewall detections) •HipsAggregated_Event ( HIPS detections) •Audit_Event (Audit log) •FilteredWebsites_Event (Filtered websites— Web Protection) •EnterpriseInspectorAlert_Event ( ESET Inspect Alerts) •BlockedFiles_Event ( Blocked files)
ipv4	string	optional	IPv4 address of the computer generating the event.
ipv6	string	optional	IPv6 address of the computer generating the event.
source_uuid	string		UUID of the computer generating the event.
occurred	string		UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S
severity	string		Severity of the event. Possible values (from least severe to most severe) are: Information, Notice, Warning, Error, Critical, Fatal.

All event types listed below with all severity levels are reported to Syslog server. To filter the event logs sent to Syslog, create a log category notification with a defined filter.

The reported values depend on the ESET security product (and its version) installed on the managed computer, and ESET PROTECT only reports the received data. Therefore, ESET cannot provide an exhaustive list of all values. We recommend watching your network and filtering the logs based on the values you receive.

Custom keys according to event_type:

Threat_Event

All Antivirus detection events generated by managed endpoints will be forwarded to Syslog. Detection event specific key:

threat_type	string	optional	Type of detection
threat_name	string	optional	Name of detection
threat_flags	string	optional	Detection related flags
scanner_id	string	optional	Scanner ID
scan_id	string	optional	Scan ID
engine_version	string	optional	Version of the scanning engine
object_type	string	optional	Type of object related to this event
object_uri	string	optional	Object URI
action_taken	string	optional	Action taken by the Endpoint
action_error	string	optional	Error message if the "action" was not successful
threat_handled	bool	optional	Indicates whether or not the detection was handled
need_restart	bool	optional	Whether or not the restart is needed
username	string	optional	Name of the user account associated with the event
processname	string	optional	Name of the process associated with the event
circumstances	string	optional	Short description of what caused the event
hash	string	optional	SHA1 hash of the (detection) data stream.
firstseen	string	optional	Time and date when the detection was found for the first time at that machine. ESET PROTECT employs different date-time formats for the firstseen attribute (and any other date-time attribute) depending on log output format (JSON or LEEF): •JSON format: "%d-%b-%Y %H:%M:%S" •LEEF format: "%b %d %Y %H:%M:%S"

Threat_Event log example:

FirewallAggregated_Event

Event logs generated by ESET Firewall ( Firewall detections) are aggregated by the managing ESET Management Agent to avoid wasting bandwidth during ESET Management Agent/ ESET PROTECT Server replication. Firewall event specific key:

event	string	optional	Event name
source_address	string	optional	Address of the event source
source_address_type	string	optional	Type of address of the event source
source_port	number	optional	Port of the event source
target_address	string	optional	Address of the event destination
target_address_type	string	optional	Type of address of the event destination
target_port	number	optional	Port of the event destination
protocol	string	optional	Protocol
account	string	optional	Name of the user account associated with the event
process_name	string	optional	Name of the process associated with the event
rule_name	string	optional	Rule name
rule_id	string	optional	Rule ID
inbound	bool	optional	Whether or not the connection was inbound
threat_name	string	optional	Name of the detection
aggregate_count	number	optional	How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent
action	string	optional	Action taken
handled	string	optional	Indicates whether or not the detection was handled

FirewallAggregated_Event log example:

HIPSAggregated_Event

Events from Host-based Intrusion Prevention System ( HIPS detections) are filtered on severity before they are sent further as Syslog messages. HIPS specific attributes are as follows:

application	string	optional	Application name
operation	string	optional	Operation
target	string	optional	Target
action	string	optional	Action taken
action_taken	string	optional	Action taken by the Endpoint
rule_name	string	optional	Rule name
rule_id	string	optional	Rule ID
aggregate_count	number	optional	How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent
handled	string	optional	Indicates whether or not the detection was handled

HipsAggregated_Event log example:

Audit_Event

ESET PROTECT forwards internal audit log messages to Syslog. Specific attributes are as follows:

domain	string	optional	Audit log domain
action	string	optional	Action taking place
target	string	optional	Target action is operating on
detail	string	optional	Detailed description of the action
user	string	optional	Security user involved
result	string	optional	Result of the action

Audit_Event log example:

FilteredWebsites_Event

ESET PROTECT forwards the filtered websites ( Web Protection detections) to Syslog. Specific attributes are as follows:

hostname	string	optional	Hostname of the computer with the event
processname	string	optional	Name of the process associated with the event
username	string	optional	Name of the user account associated with the event
hash	string	optional	SHA1 hash of the filtered object
event	string	optional	Event type
rule_id	string	optional	Rule ID
action_taken	string	optional	Action taken
scanner_id	string	optional	Scanner ID
object_uri	string	optional	Object URI
target_address	string	optional	Address of the event destination
target_address_type	string	optional	Type of address of the event destination (25769803777 = IPv4; 25769803778 = IPv6)
handled	string	optional	Indicates whether or not the detection was handled

FilteredWebsites_Event log example:

EnterpriseInspectorAlert_Event

ESET PROTECT forwards ESET Inspect Alerts to Syslog. Specific attributes are as follows:

processname	string	optional	Name of the process causing this alarm
username	string	optional	Owner of the process
rulename	string	optional	Name of the rule triggering this alarm
count	number	optional	Number of alerts of this type generated since last alarm
hash	string	optional	SHA1 hash of the alarm
eiconsolelink	string	optional	Link to the alarm in ESET Inspect console
eialarmid	string	optional	ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$)
computer_severity_score	number	optional	Computer severity score
severity_score	number	optional	Rule severity score

EnterpriseInspectorAlert_Event log example:

BlockedFiles_Event

ESET PROTECT forwards ESET Inspect Blocked files to Syslog. Specific attributes are as follows:

hostname	string	optional	Hostname of the computer with the event
processname	string	optional	Name of the process associated with the event
username	string	optional	Name of the user account associated with the event
hash	string	optional	SHA1 hash of the blocked file
object_uri	string	optional	Object URI
action	string	optional	Action taken
firstseen	string	optional	Time and date when the detection was found for the first time at that machine (date and time format).
cause	string	optional
description	string	optional	Description of the blocked file
handled	string	optional	Indicates whether or not the detection was handled

˄˅