Hi to all.
ArcSight currently officially supports Kaspersky Anti-Virus 6.0 for Windows Workstations, Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition, Kaspersky Administration Kit 8.0, and Kaspersky Endpoint Security 10.0 for Windows.
But parsing is stupid and all event details go into the message field.
I think it's not completely ArcSight fault, because KAV itself writes its log in database in such strange huge multiline form. Obviously its developers have no idea about database normalization.
I've attached my rough-and-ready parser addition for Kaspersky events.
How it works:
- tested with SC versions >= 7.0. As far as I remember only starting with that version connector writes flexString1 field, used in my parsers. Maybe I'm wrong.
- uses additional regex parsing so you should place configs into current\user\agent\fcp\additionalregexparsing\kaspersky_db directory
- parses not all event types but the most interesting (12 for my use cases).
- multiline regexes for inconvenient KAV logs.
- perfomance. Because of reprocessing of the same field (message). But currently customers do not have perfomance issues.
- a hell of a spam in agent.log with the swearing about "does not match regular expression". Non lethal but annoying in case you try to troubleshoot something via that log
- parser works only with the events which have value in flexString1 field. The most of interesting events do have flexString1, but I believe something may be missed.
- regex0 is the main parser for most of the events. regex1 is additional parser for host status change events only.
My question is: does somebody have any ideas or KAV parser implementations which he wants to share too? I believe my approach can be redesigned, improved or changed. But I'm sooo lazy
P.S. Unfortunately I work with russian localization of KAV only, so example events in configs are cyrillic. But I think other localizations use the same EventIDs and event format so it's easy to adopt.