Avast Antivirus is a family of cross-platform internet security applications. This topic describes how to send system logs from your Avast Antivirus platform to Logz.io.

Before you begin, you’ll need:

  • Avast Antivirus installed on your machine
  • An active account with Logz.io
  • Filebeat installed on your machine
  • Root priveleges on your machines

Default configuration

Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
  1. Paste the following into the inputs section of the Filebeat configuration file:

    filebeat.inputs:
       
    - type: log
      paths:
        - C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt
      fields:
        logzio_codec: plain
        token: <<LOG-SHIPPING-TOKEN>>
        type: avast
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
      multiline:
        type: pattern 
        pattern: '(\d\d/\d\d/\d\d\d\d)' 
        negate: true 
        match: after
    - type: log
      paths:
        - C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt
      fields:
        logzio_codec: plain
        token: <<LOG-SHIPPING-TOKEN>>
        type: avast
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
      multiline:
       pattern: '^\* Avast Scan Report'
       negate: true
       match: after
      ignore_older: 3h
    - type: log
      paths:
        - C:\ProgramData\Avast Software\Avast\report\aswBoot.txt
      fields:
        logzio_codec: plain
        token: <<LOG-SHIPPING-TOKEN>>
        type: avast
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
      multiline:
       pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of'
       negate: true
       match: after
      ignore_older: 3h
    - type: log
      paths:
        - C:\ProgramData\Avast Software\Avast\report\WebShield.txt
      fields:
        logzio_codec: plain
        token: <<LOG-SHIPPING-TOKEN>>
        type: avast
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
      multiline:
       pattern: '^\*\n\* Avast Real-time Shield Scan Report'
       negate: true
       match: after
      ignore_older: 3h
    filebeat.registry.path: 'C:\ProgramData\Filebeat'
    processors:
    - rename:
        fields:
         - from: "agent"
           to: "beat_agent"
        ignore_missing: true
    - rename:
        fields:
         - from: "log.file.path"
           to: "source"
        ignore_missing: true
    output:
      logstash:
        hosts: ["<<LISTENER-HOST>>:5015"]  
        ssl:
          certificate_authorities: ['C:\ProgramData\Elastic\Beats\filebeat\Logzio.crt']
    
    

    If you’re running Filebeat 8.1+, the type of the filebeat.inputs is filestream instead of logs:

    filebeat.inputs:
    - type: filestream
      paths:
        - /var/log/*.log
    
    • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
    • Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL.
  2. Run Filebeat with the new configuration.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana. You can filter for data of type avast to see the incoming Axonius logs.

If you still don’t see your data, see log shipping troubleshooting.

Optional configuration with report files

Configure Avast Antivirus to generate report files for your scans

If you want to send data from virus scans together with the logs, you need to enable Avast Antivirus to generate report files for these scans. You do not need to change antything in the Filebeat configuration as it already includes paths to these report files.

To enable this:

  1. Open Avast Antivirus.
  2. Navigate to Menu > Settings > Protection > Virus Scans > Full Virus Scan.
  3. Check the Generate report file checkbox.
  4. Navigate to Targeted Scan.
  5. Check the Generate report file checkbox.
  6. Navigate to Explorer Scan.
  7. Check the Generate report file checkbox.