Eset Intergration

[AjDenning]

Hello,
I am working on getting our ESET to push push syslog our Wazuh but not able to get it working. Also we have 2 main vlans so i have 2 NIC's on my ubuntu desktop that i am using as a test machine. Below are the configs i have for the remote connection and yes i have scrubbed the ip's. Also have a screenshot of our ESET syslog setting with IP's scrubbed. Just wondering if i am missing something or will i have to build out rules and decoders just to get it to work.

Thanks in advance

[mdiego92]

Hello @AjDenning,

You can verify if the Wazuh manager is listening on port 514 with:
netstat -tunap | grep :514

If you see it there, the transmitted message isn't triggering any alert. You may see the message with:
tcpdump -i any port 514 -AA

By default, Wazuh has decoders (0575-eset-remote_decoders.xml) and rules (0925-eset-remote_rules.xml) for ESET, but we will need to verify if they match the format of the logs you're receiving.

Finally, I would like to remind you that there is a documentation article to forward syslog events to Wazuh step by step: Forward syslog events - Your environment · Wazuh documentation

Please let me know if you have any remaining questions.
Looking forward to your feedback!

[AjDenning]

Hey @mdiego92
Thanks for the reply and 514 is working because i am pushing Fortigate logs through it, also i put the screenshot from the netstat. I have followed the documentation from Wazuh, which is a amazing, Just really wanting to verify everything is set up right on the wazuh side.

[mdiego92]

Hello @AjDenning,

Great! Then you can confirm if you're properly receiving ESET logs with these commands:

• tcpdump -i any port 514 -AA | grep -i eset
• cat /var/ossec/logs/alerts/alerts.json | grep -i eset

If you don't see any events with the second command, it means that the logs you're receiving do not match rules and decoders. In that case, please enable the archives.json file <logall_json>yes</logall_json> in the ossec.conf file and then restart the manager. After these changes, you will be able to execute the following command, which will show you how Wazuh is receiving the logs even if they do not match decoders or rules.

cat /var/ossec/logs/archives/archives.json | grep -i eset

Once you collect these logs, please share them with me so I can assist you with the decoders and rules.
Remember to disable the logall_json setting and restart the manager to avoid consuming unnecessary resources with it.

Please let me know if you have any remaining questions.
Best regards!

[AjDenning]

Hey @mdiego92
Thanks for helping me verify everything should be working. As for the archive that is going to be a little bit harder to get to you as it has a ton of things in there due to all the firewall logs and having a policy in there for eset. So it would take me weeks to get that to you especially with the holidays coming up. I will look at our network again and make sure something isnt blocking me there. Thank you for all the help.

[mdiego92]

No problem, @AjDenning. I'm glad I was able to help you.
Please feel free to let me know if you were able to check it after the holidays and we can continue troubleshooting it.

Best regards!

[julian560]

I'm also trying out this feature. I'm using the on-prem version of ESET Protect, and I've enabled syslog. Through the command "tcpdump -i any udp port 514 -AA" on Wazuh, I can see the logs coming in, but I'm unable to capture data in Wazuh.