Configuration
Copy and paste to fluent.conf
or td-agent.conf
<source>
type tail
path /var/log/foo/bar.log
pos_file /var/log/td-agent/foo-bar.log.pos
tag foo.bar
format /^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[^ ]+) CylancePROTECT - - - Event Type: Threat, Event Name: (?<EventName>\S+), Device Name: (?<Hostname>\S+), IP Address: \((?<IpAddress>\S+)\), File Name: (?<FileName>\S+), Path: (?<Path>.*), Drive Type: (?<DriveType>.*), SHA256: (?<Sha256>\S+), MD5: (?<Md5>\S+), Status: (?<Status>\S+), Cylance Score: (?<Score>\S+), Found Date: (?<FoundDate>[^\]]*), File Type: (?<FileType>\S+), Is Running: (?<IsRunning>\S+), Auto Run: (?<AutoRun>\S+), Detected By: (?<Detector>\S+), Zone Names: \((?<Zones>\S+)\), Is Malware: (?<IsMalware>.*), Is Unique To Cylance: (?<UniqueToCylance>\S+), Threat Classification: (?<Classification>.*), Device Id: (?<DeviceId>\S+), Policy Name: (?<PolicyName>\S+)/
time_format %Y-%m-%dT%H:%M:%S.%LZ
</source>
type tail
path /var/log/foo/bar.log
pos_file /var/log/td-agent/foo-bar.log.pos
tag foo.bar
format /^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[^ ]+) CylancePROTECT - - - Event Type: Threat, Event Name: (?<EventName>\S+), Device Name: (?<Hostname>\S+), IP Address: \((?<IpAddress>\S+)\), File Name: (?<FileName>\S+), Path: (?<Path>.*), Drive Type: (?<DriveType>.*), SHA256: (?<Sha256>\S+), MD5: (?<Md5>\S+), Status: (?<Status>\S+), Cylance Score: (?<Score>\S+), Found Date: (?<FoundDate>[^\]]*), File Type: (?<FileType>\S+), Is Running: (?<IsRunning>\S+), Auto Run: (?<AutoRun>\S+), Detected By: (?<Detector>\S+), Zone Names: \((?<Zones>\S+)\), Is Malware: (?<IsMalware>.*), Is Unique To Cylance: (?<UniqueToCylance>\S+), Threat Classification: (?<Classification>.*), Device Id: (?<DeviceId>\S+), Policy Name: (?<PolicyName>\S+)/
time_format %Y-%m-%dT%H:%M:%S.%LZ
</source>
Data Inspector
Attributes
Key | Value |
---|---|
time | 2020/03/09 10:58:06 +0000 |
Records
Key | Value |
---|---|
pri | 156 |
host | sysloghost |
EventName | threat_quarantined |
Hostname | ip-10-x-x-x.appcode.ew1.bucode.some.domain.com |
IpAddress | 10.x.x.x |
FileName | virus.exe |
Path | /path/ |
DriveType | Internal Hard Drive |
Sha256 | A8D76D6EFD4 |
Md5 | B8F4F2CC08 |
Status | Quarantined |
Score | 69 |
FoundDate | 3/9/2020 10:58:06 AM |
FileType | Executable |
IsRunning | False |
AutoRun | False |
Detector | FileWatcher |
Zones | mcs |
IsMalware | False |
UniqueToCylance | False |
Classification | UNCLASSIFIED |
DeviceId | 89473712-450e-4355 |
PolicyName | Default |