ESET Remote Administrator

The IBM QRadar DSM for ESET Remote Administrator collects logs from ESET Remote Administrator.

The following table describes the specifications for the ESET Remote Administrator DSM:
Table 1. ESET Remote Administrator DSM specifications
Specification Value
Manufacturer ESET
DSM name ESET Remote Administrator
RPM file name DSM-ESETRemoteAdministrator-QRadar_version-build_number.noarch.rpm
Supported versions 6.4.270
Protocol Syslog
Event format Log Event Extended Format (LEEF)
Recorded event types

Threat

Firewall aggregated

Host Intrusion Protection System (HIPS) aggregated

Audit

Automatically discovered? Yes
Includes identity? Yes
Includes custom properties? No
More information ESET website (https://www.eset.com/us/support/download/business/remote-administrator-6)
To integrate ESET Remote Administrator with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website in the order that they are listed, on your QRadar Console:
    • DSMCommon RPM
    • ESET Remote Administrator DSM RPM
  2. Configure your ESET Remote Administrator server to send LEEF formatted syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add an ESET Remote Administrator log source on the QRadar Console. The following table describes the parameters that require specific values for ESET Remote Administrator event collection:
    Table 2. ESET Remote Administrator log source parameters
    Parameter Value
    Log Source type ESET Remote Administrator
    Protocol Configuration Syslog
    Log Source Identifier The IP address or host name of the ESET Remote Administration server.
  4. To check that QRadar parses the events correctly, review the following sample event message.
    The following table shows a sample event message from ESET Remote Administrator:
    Table 3. ESET Remote Administrator sample message
    Event name Low level category Sample log message
    Native user login User Login Success
    <14>1 2016-08-15T14:52:31.888Z hostname ERAServer 28021 - - LEEF:1.0|ESET|RemoteAdministrator|<Version>|Native user login|cat=ESET RA Audit Event sev=2 devTime=Aug 15 2016 14:52:31 devTimeFormat=MMM dd yyyy HH:mm:ss src=<Source_IP_address> domain=Native user action=Login attempt target=username detail=Native user 'username' attempted to authenticate. result=Success