Skip to main content

Avast

Avast Antivirus is a family of cross-platform internet security applications. This topic describes how to send system logs from your Avast Antivirus platform to Logz.io.

Before you begin, you'll need:

  • Avast Antivirus installed on your machine
  • An active Logz.io account
  • Filebeat installed on your machine
  • Root priveleges on your machines

Default configuration

Download the Logz.io public certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure Filebeat

  1. Paste the following into the inputs section of the Filebeat configuration file:
note

Filebeat requires a file extension specified for the log input.

filebeat.inputs:

- type: filestream
  paths:
    - C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
    type: pattern 
    pattern: '(\d\d/\d\d/\d\d\d\d)' 
    negate: true 
    match: after
- type: filestream
  paths:
    - C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\* Avast Scan Report'
   negate: true
   match: after
  ignore_older: 3h
- type: filestream
  paths:
    - C:\ProgramData\Avast Software\Avast\report\aswBoot.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of'
   negate: true
   match: after
  ignore_older: 3h
- type: filestream
  paths:
    - C:\ProgramData\Avast Software\Avast\report\WebShield.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\*\n\* Avast Real-time Shield Scan Report'
   negate: true
   match: after
  ignore_older: 3h
filebeat.registry.path: 'C:\ProgramData\Filebeat'
processors:
- rename:
    fields:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>:5015"]  
    ssl:
      certificate_authorities: ['C:\ProgramData\Elastic\Beats\filebeat\Logzio.crt']

If you're running Filebeat 7 to 8.1, paste the code block below instead:

filebeat.inputs:

- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
    type: pattern 
    pattern: '(\d\d/\d\d/\d\d\d\d)' 
    negate: true 
    match: after
- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\* Avast Scan Report'
   negate: true
   match: after
  ignore_older: 3h
- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\aswBoot.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of'
   negate: true
   match: after
  ignore_older: 3h
- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\WebShield.txt
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\*\n\* Avast Real-time Shield Scan Report'
   negate: true
   match: after
  ignore_older: 3h
filebeat.registry.path: 'C:\ProgramData\Filebeat'
processors:
- rename:
    fields:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>:5015"]  
    ssl: 
      certificate_authorities: ['C:\ProgramData\Elastic\Beats\filebeat\Logzio.crt']

  • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you're logged into the Logz.io app as an Admin. Manage your tokens.
  • Replace <<LISTENER-HOST>> with the host for your region.
  1. Run Filebeat with the new configuration.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type avast to see the incoming Axonius logs.

If you still don't see your logs, see Filebeat troubleshooting.

Optional configuration with report files

Configure Avast Antivirus to generate report files for your scans

If you want to send data from virus scans together with the logs, you need to enable Avast Antivirus to generate report files for these scans. You do not need to change antything in the Filebeat configuration as it already includes paths to these report files.

To enable this:

  1. Open Avast Antivirus.
  2. Navigate to Menu > Settings > Protection > Virus Scans > Full Virus Scan.
  3. Check the Generate report file checkbox.
  4. Navigate to Targeted Scan.
  5. Check the Generate report file checkbox.
  6. Navigate to Explorer Scan.
  7. Check the Generate report file checkbox.