Configuration
Copy and paste to fluent.conf or td-agent.conf
<source>
type tail
path /var/log/foo/bar.log
pos_file /var/log/td-agent/foo-bar.log.pos
tag foo.bar
format /^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[^ ]+) CylancePROTECT - - - Event Type: Threat, Event Name: (?<EventName>\S+), Device Name: (?<Hostname>\S+), IP Address: \((?<IpAddress>\S+)\), File Name: (?<FileName>\S+), Path: (?<Path>.*), Drive Type: (?<DriveType>.*), SHA256: (?<Sha256>\S+), MD5: (?<Md5>\S+), Status: (?<Status>\S+), Cylance Score: (?<Score>\S+), Found Date: (?<FoundDate>[^\]]*), File Type: (?<FileType>\S+), Is Running: (?<IsRunning>\S+), Auto Run: (?<AutoRun>\S+), Detected By: (?<Detector>\S+), Zone Names: \((?<Zones>\S+)\), Is Malware: (?<IsMalware>.*), Is Unique To Cylance: (?<UniqueToCylance>\S+), Threat Classification: (?<Classification>.*), Device Id: (?<DeviceId>\S+), Policy Name: (?<PolicyName>\S+)/
time_format %Y-%m-%dT%H:%M:%S.%LZ
</source>
type tail
path /var/log/foo/bar.log
pos_file /var/log/td-agent/foo-bar.log.pos
tag foo.bar
format /^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[^ ]+) CylancePROTECT - - - Event Type: Threat, Event Name: (?<EventName>\S+), Device Name: (?<Hostname>\S+), IP Address: \((?<IpAddress>\S+)\), File Name: (?<FileName>\S+), Path: (?<Path>.*), Drive Type: (?<DriveType>.*), SHA256: (?<Sha256>\S+), MD5: (?<Md5>\S+), Status: (?<Status>\S+), Cylance Score: (?<Score>\S+), Found Date: (?<FoundDate>[^\]]*), File Type: (?<FileType>\S+), Is Running: (?<IsRunning>\S+), Auto Run: (?<AutoRun>\S+), Detected By: (?<Detector>\S+), Zone Names: \((?<Zones>\S+)\), Is Malware: (?<IsMalware>.*), Is Unique To Cylance: (?<UniqueToCylance>\S+), Threat Classification: (?<Classification>.*), Device Id: (?<DeviceId>\S+), Policy Name: (?<PolicyName>\S+)/
time_format %Y-%m-%dT%H:%M:%S.%LZ
</source>
Data Inspector
Attributes
| Key | Value |
|---|---|
| time | 2020/03/09 10:58:06 +0000 |
Records
| Key | Value |
|---|---|
| pri | 156 |
| host | sysloghost |
| EventName | threat_quarantined |
| Hostname | ip-10-x-x-x.appcode.ew1.bucode.some.domain.com |
| IpAddress | 10.x.x.x |
| FileName | virus.exe |
| Path | /path/ |
| DriveType | Internal Hard Drive |
| Sha256 | A8D76D6EFD4 |
| Md5 | B8F4F2CC08 |
| Status | Quarantined |
| Score | 69 |
| FoundDate | 3/9/2020 10:58:06 AM |
| FileType | Executable |
| IsRunning | False |
| AutoRun | False |
| Detector | FileWatcher |
| Zones | mcs |
| IsMalware | False |
| UniqueToCylance | False |
| Classification | UNCLASSIFIED |
| DeviceId | 89473712-450e-4355 |
| PolicyName | Default |