Watching too many movies might give you the impression that cyber attacks are launched by well-funded masterminds able to control the internet at their whim. But really, successful attacks can be as simple as disguising some malicious software as a link to an often-used site, and tricking people into clicking it, known as phishing.
The result is that many cyber attacks are carried out by taking advantage of unsuspecting end users.
ESET is a popular endpoint protection software specializing in antivirus and firewall products to help identify and block these kinds of attacks. While ESET is an effective solution on its own, the findings are siloed from all the other security information in an organization, just like all other security tools.
This is where Logz.io Cloud SIEM comes into the picture. By consolidating security findings from across an organization’s security tooling, all security events can be prioritized and investigated according to their severity. ESET logs are automatically parsed and enriched with security information
Ship ESET logs to Logz.io
The easiest way to ship ESET logs to Logz.io is with Filebeat, a lightweight open source agent that sits next to your ESET deployment. Let’s install and run Filebeat to start shipping logs. We configure Filebeat on a syslog server, so any other syslog server will also do.
ESET sends encrypted data, so the first step is to create a dedicated ESET certificate to decrypt the logs by the Filebeat server, which you can find here:
sudo mkdir /etc/filebeat/certificates sudo openssl req -newkey rsa:2048 -nodes \ -keyout /etc/filebeat/certificates/ESET.key -x509 \ -days 365 \ -out /etc/filebeat/certificates/ESET.crt
Next, let’s download the Logz.io public certificate to your certificate authority folder for HTTP shipping:
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/TrustExternalCARoot_and_USERTrustRSAAAACA.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Now we can configure Filebeat. Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Replace the file’s contents with the code block below, which adds ESET as an input and sets Logz.io as the output.
# ... filebeat.inputs: - type: tcp max_message_size: 10MiB host: "0.0.0.0:6514" ssl.enabled: true ssl.certificate: "/etc/filebeat/certificates/ESET.crt" ssl.key: "/etc/filebeat/certificates/ESET.key" ssl.verification_mode: none fields: logzio_codec: plain # Your Logz.io account token. You can find your token at # https://app.logz.io/#/dashboard/settings/manage-accounts token: <<SHIPPING-TOKEN>> type: eset fields_under_root: true encoding: utf-8 ignore_older: 3h filebeat.registry.path: /var/lib/filebeat processors: - rename: fields: - from: "agent" to: "filebeat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true # ... output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Make sure to replace
<<SHIPPING-TOKEN>> with your Logz.io token and
<<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). Double check to ensure Logz.io is the only output and appears only once. Remove any other outputs in the file. Start or restart filebeat for the changes to take effect.
Finally, we’ll need to configure ESET to send logs to Logz.io; ESET makes this easy. In the left side menu click the three dots, then > More > Server Settings, and expand the advanced options.
Hit the Server Settings option and fill out:
- Host – Enter your host address
- Port – Enter your port number (Port 6514 is the ESET default unless you’ve changed the default)
- Format – Select BSD as the log format
- Transport – Select the TLS protocol
Towards the bottom of the page enable the option to Export logs to Syslog and select the JSON option for the log format.
Check Logz.io for your logs. If you don’t see them, see our log shipping troubleshooting page.
Automatically enrich, analyze, and investigate ESET security events
Once you begin sending your ESET logs, Logz.io will enrich them to make them easier to visualize and investigate in Kibana.
The first way is by parsing them, which breaks down the log files into fields and adds information that can be useful during security investigations, such as host name, IP address, attack severity, etc.
The second way is by cross referencing them with security rules, identifyingwhich identifies the highest priority security attacks and sendings an alert to your desired endpoint (Slack, OpsGenie, Gmail, BigPanda, and more). With Logz.io’s rules, all of the findings are prioritized automatically prioritize after the ESET logs are shipped.
These rules are based on Logz.io’s security team’s experience, but you can configure your own as well. See a few examples of Logz.io’s ESET rules below:
ESET logs that trigger these rules become security events, what should be considered the top security threats for most environments and situations. To make security events easier to visualize, Logz.io Cloud SIEM comes with an out-of-the-box security dashboard for ESET rules.
The top left and top middle visuals show the amount of ESET security events over time and the top right visual breaks the attacks down by severity. The bottom left visual shows the type and volume of security events triggered for each end user and the bottom right visual breaks all threats down by type.
While ESET does scan downloads for viruses and other malicious files, ESET obviously won’t find malicious files before it’s installed. That is why ESET also has an “On Demand Scan” capability, which shows what malicious files have already infected a host.
Logz.io has a rule for On Demand Scans, which shows the malicious files that have already made it to end users. The visual below collects all of the malicious files identified by ESET on your end-users hardware so you know where to start with remediation efforts.
After ESET begins detecting security attacks, you move on to analysis. But, it can be overwhelming to know where to start unless you’re a real expert in endpoint protection.
This is where Logz.io Cloud SIEM can make a difference. The rules and dashboards put together by our security team make it easier to know where the greatest threats are and how to investigate them.
This isn’t just true for ESET, but for many other security tools and cloud technologies as well. Logz.io Cloud SIEM integrates with many more security tools, including products from Hashicorp, Palo Alto Networks, Check Point, and McAfee. Additionally, Logz.io can enrich logs from cloud technologies like AWS Cloud Trail, AWS Guard Dity, Microsoft Active Directory and Azure Sentinel.
When you put it all together, you have one place to centralize, prioritize, and investigate security threats from across your environment and security tooling.
To learn more about Logz.io Cloud SIEM, check out the product page.