Console
    Start free

    Collect ESET EDR logs

    Supported in:

    This document explains how to ingest ESET EDR logs to Google Security Operations using the Bindplane agent.

    ESET Endpoint Detection and Response (EDR) is a security solution that generates syslog messages for threat detections, firewall events, process activity, and security audit actions. The parser extracts fields from JSON-formatted syslog and maps them to the Unified Data Model (UDM).

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the ESET PROTECT server
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Privileged access to ESET PROTECT console (on-premises or Cloud)

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.

    4. Save the file securely on the system where the Bindplane agent will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

      The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

      The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see the Bindplane agent installation guide .

    Configure the Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/eset_edr 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 ESET_EDR 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/eset_edr_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/eset_edr

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : IP address and port to listen on:
        • 0.0.0.0 to listen on all interfaces (recommended)
        • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Customer ID copied from the Google SecOps console
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

      1. Verify the service is running:

         sudo  
systemctl  
status  
observiq-otel-collector

      2. Check logs for errors:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    • To restart the Bindplane agent in Windows, choose one of the following options:

      • Command Prompt or PowerShell as administrator:

         net stop observiq-otel-collector && net start observiq-otel-collector

      • Services console:

        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

        4. Verify the service is running:

           sc query observiq-otel-collector

        5. Check logs for errors:

            type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure syslog on ESET PROTECT on-premises

    1. Sign in to the ESET PROTECTweb console.
    2. Click More > Settings > Advanced Settings > Syslog Server.
    3. Toggle the Enable Syslogswitch to enable syslog.
    4. Provide the following configuration details:
      • Host: Enter the Bindplane agent IP address.
      • Port: Enter 514 .
      • Format: Select Syslog.
      • Transport: Select UDP.
      • Trace log verbosity: Select Informational.
      • Export logs to Syslog: Set to Enable.
      • Exported logs format: Select JSON.
    5. Click Save.

    Configure syslog on ESET PROTECT Cloud

    1. Sign in to the ESET PROTECT Cloudconsole.
    2. Click More > Settings > Syslog Server.
    3. Toggle the Enable Syslogswitch to enable syslog.
    4. Provide the following configuration details:
      • Format of payload: Select JSON.
      • Format of envelope: Select Syslog.
      • Minimum log Level: Select Informational.
      • Event types to log: Select All(or specific types as needed).
      • Destination IP: Enter the Bindplane agent IP address.
      • Port: Enter 514 .
    5. Click Save.

    UDM mapping table

    Log Field UDM Mapping Logic
    action
    		 event1.idm.read_only_udm.security_result.action Conditionally set to BLOCK if the value is Blocked .
    actionTaken
    		 event2.idm.read_only_udm.metadata.event_type Conditionally set to SCAN_PROCESS if the value is Cleaned by deleting .
    actionTaken
    		 event1.idm.read_only_udm.security_result.action_details Directly mapped from the actionTaken field.
    actionTaken
    		 event2.idm.read_only_udm.security_result.action_details Directly mapped from the actionTaken field.
    accountName
    		 event2.idm.read_only_udm.additional.fields.value.string_value Directly mapped from the accountName field. The key is set to accountName .
    app
    		 event3.idm.read_only_udm.principal.application Directly mapped from the app field.
    circumstances
    		 event2.idm.read_only_udm.additional.fields.value.string_value Directly mapped from the circumstances field. The key is set to circumstances .
    Computer_name
    		 event3.idm.read_only_udm.principal.hostname Directly mapped from the Computer_name field.
    Computer_name
    		 event3.idm.read_only_udm.principal.asset.hostname Directly mapped from the Computer_name field.
    date_time
    Detection_name
    		 event3.idm.read_only_udm.security_result.threat_name Directly mapped from the Detection_name field.
    Detectiontype
    		 event3.idm.read_only_udm.security_result.category_details Directly mapped from the Detectiontype field.
    dst
    		 event2.idm.read_only_udm.target.ip Directly mapped from the dst field.
    dst
    		 event2.idm.read_only_udm.target.asset.ip Directly mapped from the dst field.
    dstPort
    		 event2.idm.read_only_udm.target.port Directly mapped from the dstPort field after converting it to an integer.
    event
    		 event1.idm.read_only_udm.metadata.description Directly mapped from the event field.
    event_type
    		 event1.idm.read_only_udm.metadata.product_event_type Directly mapped from the event_type field.
    event_type
    		 event1.idm.read_only_udm.metadata.event_type Conditionally set to NETWORK_CONNECTION if the value is FirewallAggregated_Event .
    hash
    		 event1.idm.read_only_udm.target.file.sha1 Directly mapped from the hash field after converting it to lowercase.
    hostname
    		 event1.idm.read_only_udm.target.hostname Directly mapped from the hostname field.
    hostname
    		 event1.idm.read_only_udm.target.asset.hostname Directly mapped from the hostname field.
    hostname
    		 event.alert.devices.hostname Directly mapped from the hostname field.
    ipv4
    		 event1.idm.read_only_udm.principal.ip Directly mapped from the ipv4 field. This field is first stored in a temporary field udm_ip .
    ipv4
    		 event1.idm.read_only_udm.principal.asset.ip Directly mapped from the ipv4 field. This field is first stored in a temporary field udm_ip .
    ipv4
    		 event.alert.devices.ip_addresses Directly mapped from the ipv4 field after converting it to an IP address.
    Logged_user
    		 event3.idm.read_only_udm.principal.user.userid Directly mapped from the Logged_user field.
    objectUri
    		 event1.idm.read_only_udm.target.file.full_path Directly mapped from the objectUri field.
    objectUri
    		 event2.idm.read_only_udm.target.file.full_path Directly mapped from the objectUri field.
    processName
    		 event2.idm.read_only_udm.target.process.file.full_path Directly mapped from the processName field.
    processName
    		 event1.idm.read_only_udm.principal.process.file.full_path Directly mapped from the processName field.
    process_id
    		 event3.idm.read_only_udm.principal.process.pid Directly mapped from the process_id field.
    process_id
    		 event2.idm.read_only_udm.target.process.pid Directly mapped from the process_id field.
    protocol
    		 event1.idm.read_only_udm.network.ip_protocol Directly mapped from the protocol field.
    proto
    		 event2.idm.read_only_udm.network.ip_protocol Directly mapped from the proto field.
    result
    		 event2.idm.read_only_udm.security_result.action Conditionally set to ALLOW if the value is Success .
    Scanner
    		 event3.idm.read_only_udm.security_result.description Directly mapped from the Scanner field.
    severity
    		 event1.idm.read_only_udm.security_result.severity Mapped from the severity field based on these conditions: - INFO , Informational , DEBUG , info : INFORMATIONAL - ERROR , error : ERROR - WARNING , Warning : LOW
    source_address
    		 event1.idm.read_only_udm.principal.ip Directly mapped from the source_address field.
    source_address
    		 event1.idm.read_only_udm.principal.asset.ip Directly mapped from the source_address field.
    source_port
    		 event1.idm.read_only_udm.principal.port Directly mapped from the source_port field after converting it to an integer.
    source_uuid
    		 event1.idm.read_only_udm.metadata.product_log_id Directly mapped from the source_uuid field.
    src
    		 event2.idm.read_only_udm.principal.ip Directly mapped from the src field.
    src
    		 event2.idm.read_only_udm.principal.asset.ip Directly mapped from the src field.
    srcPort
    		 event2.idm.read_only_udm.principal.port Directly mapped from the srcPort field after converting it to an integer.
    target_address
    		 event1.idm.read_only_udm.target.ip Directly mapped from the target_address field.
    target_address
    		 event1.idm.read_only_udm.target.asset.ip Directly mapped from the target_address field.
    target_port
    		 event1.idm.read_only_udm.target.port Directly mapped from the target_port field after converting it to an integer.
    threatName
    		 event2.idm.read_only_udm.security_result.threat_name Directly mapped from the threatName field.
    threatName
    		 event.alert.alert_short_name Directly mapped from the threatName field.
    Time_of_occurrence
    		 event3.idm.read_only_udm.additional.fields.value.string_value Directly mapped from the Time_of_occurrence field. The key is set to Time_of_occurrence .
    type
    		 event2.idm.read_only_udm.security_result.category_details Directly mapped from the type field.
    type
    		 event2.idm.read_only_udm.metadata.event_type Conditionally set to GENERIC_EVENT if no other specific event type is matched.
    user_id
    		 event2.idm.read_only_udm.principal.user.userid Directly mapped from the user_id field.
    		event1.idm.read_only_udm.metadata.event_type Conditionally set to FILE_UNCATEGORIZED if the value of event_type is Threat_Event .
    		event1.idm.read_only_udm.metadata.log_type Set to ESET_EDR .
    		event1.idm.read_only_udm.metadata.product_name Conditionally set to ESET if the value of event_type is FirewallAggregated_Event .
    		event2.idm.read_only_udm.metadata.log_type Set to ESET_EDR .
    		event2.idm.read_only_udm.metadata.product_name Set to EDR .
    		event2.idm.read_only_udm.metadata.vendor_name Set to ESET .
    		event3.idm.read_only_udm.metadata.event_type Conditionally set based on these rules: - USER_UNCATEGORIZED if principal_user_present is true . - STATUS_UPDATE if principal_machine_id_present is true . - GENERIC_EVENT otherwise.
    		event3.idm.read_only_udm.metadata.log_type Set to ESET_EDR .
    		event3.idm.read_only_udm.metadata.product_name Set to EDR .
    		event3.idm.read_only_udm.metadata.vendor_name Set to ESET .
    		event.alert.is_significant Set to true and then converted to a boolean.
    		event3.idm.read_only_udm.security_result.description Conditionally set to the value of kv_data if Scanner is empty.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: