Avast Antivirus is a family of cross-platform internet security applications. This topic describes how to send system logs from your Avast Antivirus platform to Logz.io.
Before you begin, you’ll need:
- Avast Antivirus installed on your machine
- An active account with Logz.io
- Filebeat installed on your machine
- Root priveleges on your machines
Default configuration
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
-
Paste the following into the inputs section of the Filebeat configuration file:
filebeat.inputs: - type: log paths: - C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt fields: logzio_codec: plain token: <<LOG-SHIPPING-TOKEN>> type: avast fields_under_root: true encoding: utf-8 ignore_older: 3h multiline: type: pattern pattern: '(\d\d/\d\d/\d\d\d\d)' negate: true match: after - type: log paths: - C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt fields: logzio_codec: plain token: <<LOG-SHIPPING-TOKEN>> type: avast fields_under_root: true encoding: utf-8 ignore_older: 3h multiline: pattern: '^\* Avast Scan Report' negate: true match: after ignore_older: 3h - type: log paths: - C:\ProgramData\Avast Software\Avast\report\aswBoot.txt fields: logzio_codec: plain token: <<LOG-SHIPPING-TOKEN>> type: avast fields_under_root: true encoding: utf-8 ignore_older: 3h multiline: pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of' negate: true match: after ignore_older: 3h - type: log paths: - C:\ProgramData\Avast Software\Avast\report\WebShield.txt fields: logzio_codec: plain token: <<LOG-SHIPPING-TOKEN>> type: avast fields_under_root: true encoding: utf-8 ignore_older: 3h multiline: pattern: '^\*\n\* Avast Real-time Shield Scan Report' negate: true match: after ignore_older: 3h filebeat.registry.path: 'C:\ProgramData\Filebeat' processors: - rename: fields: - from: "agent" to: "beat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true output: logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['C:\ProgramData\Elastic\Beats\filebeat\Logzio.crt']If you’re running Filebeat 8.1+, the
typeof thefilebeat.inputsisfilestreaminstead oflogs:filebeat.inputs: - type: filestream paths: - /var/log/*.log- Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
- Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL.
-
Run Filebeat with the new configuration.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana. You can filter for data of type avast to see the incoming Axonius logs.
If you still don’t see your data, see log shipping troubleshooting.
Optional configuration with report files
Configure Avast Antivirus to generate report files for your scans
If you want to send data from virus scans together with the logs, you need to enable Avast Antivirus to generate report files for these scans. You do not need to change antything in the Filebeat configuration as it already includes paths to these report files.
To enable this:
- Open Avast Antivirus.
- Navigate to Menu > Settings > Protection > Virus Scans > Full Virus Scan.
- Check the Generate report file checkbox.
- Navigate to Targeted Scan.
- Check the Generate report file checkbox.
- Navigate to Explorer Scan.
- Check the Generate report file checkbox.