Events exported to JSON format
JSON is a lightweight format for data exchange. It is built on collection of name / value pairs and an ordered list of values.
Exported events
This section contains details on the format and meaning of attributes of all exported events. The event message is in the form of a JSON object with some mandatory and some optional keys. Each one exported event will contain the following key:
event_type |
string |
|
Type of exported events: •Threat_Event (Antivirus detections) •FirewallAggregated_Event ( Firewall detections) •HipsAggregated_Event ( HIPS detections) •FilteredWebsites_Event (Filtered websites— Web Protection) |
---|---|---|---|
ipv4 |
string |
optional |
IPv4 address of the computer generating the event. |
ipv6 |
string |
optional |
IPv6 address of the computer generating the event. |
source_uuid |
string |
|
UUID of the computer generating the event. |
occurred |
string |
|
UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S |
severity |
string |
|
Severity of the event. Possible values (from least severe to most severe) are: Information, Notice, Warning, Error, Critical, Fatal. |
All event types listed below with all severity levels are reported to Syslog server. To filter the event logs sent to Syslog, create a log category notification with a defined filter. The reported values depend on the ESET security product (and its version) installed on the managed computer, and ESET PROTECT only reports the received data. Therefore, ESET cannot provide an exhaustive list of all values. We recommend watching your network and filtering the logs based on the values you receive. |
Custom keys according to event_type:
Threat_Event
All Antivirus detection events generated by managed endpoints will be forwarded to Syslog. Detection event specific key:
threat_type |
string |
optional |
Type of detection |
---|---|---|---|
threat_name |
string |
optional |
Name of detection |
threat_flags |
string |
optional |
Detection related flags |
scanner_id |
string |
optional |
Scanner ID |
scan_id |
string |
optional |
Scan ID |
engine_version |
string |
optional |
Version of the scanning engine |
object_type |
string |
optional |
Type of object related to this event |
object_uri |
string |
optional |
Object URI |
action_taken |
string |
optional |
Action taken by the Endpoint |
action_error |
string |
optional |
Error message if the "action" was not successful |
threat_handled |
bool |
optional |
Indicates whether or not the detection was handled |
need_restart |
bool |
optional |
Whether or not the restart is needed |
username |
string |
optional |
Name of the user account associated with the event |
processname |
string |
optional |
Name of the process associated with the event |
circumstances |
string |
optional |
Short description of what caused the event |
hash |
string |
optional |
SHA1 hash of the (detection) data stream. |
string |
optional |
Time and date when the detection was found for the first time at that machine. ESET PROTECT employs different date-time formats for the firstseen attribute (and any other date-time attribute) depending on log output format (JSON or LEEF): •JSON format: "%d-%b-%Y %H:%M:%S" •LEEF format: "%b %d %Y %H:%M:%S" |
FirewallAggregated_Event
Event logs generated by ESET Firewall ( Firewall detections) are aggregated by the managing ESET Management Agent to avoid wasting bandwidth during ESET Management Agent/ ESET PROTECT Server replication. Firewall event specific key:
event |
string |
optional |
Event name |
---|---|---|---|
source_address |
string |
optional |
Address of the event source |
source_address_type |
string |
optional |
Type of address of the event source |
source_port |
number |
optional |
Port of the event source |
target_address |
string |
optional |
Address of the event destination |
target_address_type |
string |
optional |
Type of address of the event destination |
target_port |
number |
optional |
Port of the event destination |
protocol |
string |
optional |
Protocol |
account |
string |
optional |
Name of the user account associated with the event |
process_name |
string |
optional |
Name of the process associated with the event |
rule_name |
string |
optional |
Rule name |
rule_id |
string |
optional |
Rule ID |
inbound |
bool |
optional |
Whether or not the connection was inbound |
threat_name |
string |
optional |
Name of the detection |
aggregate_count |
number |
optional |
How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent |
action |
string |
optional |
Action taken |
handled |
string |
optional |
Indicates whether or not the detection was handled |
FirewallAggregated_Event log example:
HIPSAggregated_Event
Events from Host-based Intrusion Prevention System ( HIPS detections) are filtered on severity before they are sent further as Syslog messages. HIPS specific attributes are as follows:
application |
string |
optional |
Application name |
---|---|---|---|
operation |
string |
optional |
Operation |
target |
string |
optional |
Target |
action |
string |
optional |
Action taken |
action_taken |
string |
optional |
Action taken by the Endpoint |
rule_name |
string |
optional |
Rule name |
rule_id |
string |
optional |
Rule ID |
aggregate_count |
number |
optional |
How many exact same messages were generated by the endpoint between two consecutive replications between ESET PROTECT Server and managing ESET Management Agent |
handled |
string |
optional |
Indicates whether or not the detection was handled |
HipsAggregated_Event log example:
Audit_Event
ESET PROTECT forwards internal audit log messages to Syslog. Specific attributes are as follows:
domain |
string |
optional |
Audit log domain |
---|---|---|---|
action |
string |
optional |
Action taking place |
target |
string |
optional |
Target action is operating on |
detail |
string |
optional |
Detailed description of the action |
user |
string |
optional |
Security user involved |
result |
string |
optional |
Result of the action |
FilteredWebsites_Event
ESET PROTECT forwards the filtered websites ( Web Protection detections) to Syslog. Specific attributes are as follows:
hostname |
string |
optional |
Hostname of the computer with the event |
processname |
string |
optional |
Name of the process associated with the event |
username |
string |
optional |
Name of the user account associated with the event |
hash |
string |
optional |
SHA1 hash of the filtered object |
event |
string |
optional |
Event type |
rule_id |
string |
optional |
Rule ID |
action_taken |
string |
optional |
Action taken |
scanner_id |
string |
optional |
Scanner ID |
object_uri |
string |
optional |
Object URI |
target_address |
string |
optional |
Address of the event destination |
target_address_type |
string |
optional |
Type of address of the event destination (25769803777 = IPv4; 25769803778 = IPv6) |
handled |
string |
optional |
Indicates whether or not the detection was handled |
FilteredWebsites_Event log example:
EnterpriseInspectorAlert_Event
ESET PROTECT forwards ESET Inspect Alerts to Syslog. Specific attributes are as follows:
processname |
string |
optional |
Name of the process causing this alarm |
---|---|---|---|
username |
string |
optional |
Owner of the process |
rulename |
string |
optional |
Name of the rule triggering this alarm |
count |
number |
optional |
Number of alerts of this type generated since last alarm |
hash |
string |
optional |
SHA1 hash of the alarm |
eiconsolelink |
string |
optional |
Link to the alarm in ESET Inspect console |
eialarmid |
string |
optional |
ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$) |
computer_severity_score |
number |
optional |
Computer severity score |
severity_score |
number |
optional |
Rule severity score |
EnterpriseInspectorAlert_Event log example:
BlockedFiles_Event
ESET PROTECT forwards ESET Inspect Blocked files to Syslog. Specific attributes are as follows:
hostname |
string |
optional |
Hostname of the computer with the event |
processname |
string |
optional |
Name of the process associated with the event |
username |
string |
optional |
Name of the user account associated with the event |
hash |
string |
optional |
SHA1 hash of the blocked file |
object_uri |
string |
optional |
Object URI |
action |
string |
optional |
Action taken |
firstseen |
string |
optional |
Time and date when the detection was found for the first time at that machine (date and time format). |
cause |
string |
optional |
|
description |
string |
optional |
Description of the blocked file |
handled |
string |
optional |
Indicates whether or not the detection was handled |