# ESET Protect Integration

ESET PROTECT allows you to efficiently manage ESET products across workstations and servers within a networked environment, supporting up to 50,000 devices from a single centralized platform. Through the ESET PROTECT Web Console, you can seamlessly deploy ESET solutions, manage tasks, enforce security policies, monitor system health, and swiftly address any issues or threats on remote devices.

---

#### **Data streams**

The ESET PROTECT integration collects three types of logs: Detection, Device Task and Event.

**Detection** is used to retrieve detections via the ESET Connect - Incident Management.

**Device Task** is used to retrieve device tasks via the ESET Connect - Automation.

**Event** is used to retrieve Detection, Firewall, HIPS, Audit, and ESET Inspect logs using the Syslog Server.

---

##### **Requirements:**

- Elastic Agent must be installed

---

#### **Setup**

##### **To collect data from ESET Connect, follow the below steps:**

1. Create API User Account (*Refer to How to Create an API User Account below*)
2. Retrieve the username and password generated during the creation of an API user account.
3. Retrieve the region from the ESET Web Console URL.

##### **To collect data from ESET PROTECT via Syslog, follow the below steps:**

1. Follow the steps to configure syslog server (*Refer to How to Configure Syslog Server*). 
    - Set the format of the payload to **JSON**.
    - Set the format of the envelope to **Syslog**.
    - Set the minimal log level to **Information** to collect all data.
    - Select all checkboxes to collect logs for all event types.
    - Enter the **IP Address** or **FQDN** of the Elastic Agent that is running the integration in the Destination IP field.

---

#### **How to Create an API User Account:**

##### **<span class="f_Heading3">For ESET Business Account and ESET MSP Administrator 2</span>**

Follow the steps below to create the dedicated API user account:

1. <span class="f_NormalList">Log in as Superuser (or Root) to your </span><span class="f_UI">ESET Business Account</span><span class="f_NormalList"> or </span><span class="f_UI">ESET MSP Administrator 2</span><span class="f_NormalList">.</span>
2. <span class="f_NormalList">Navigate to </span><span class="f_UI">User management</span><span class="f_NormalList"> and create a new user.</span>
3. Under the <span class="f_UI">Access Rights</span> section, enable the toggle next to <span class="f_UI">Integrations</span>.[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2024-11/scaled-1680-/aYONheFotttkYVLL-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2024-11/aYONheFotttkYVLL-image.png)
4. <span class="f_NormalList">Click </span><span class="f_UI">Create</span><span class="f_NormalList"> to apply the changes.</span>
5. <span class="f_NormalList">The new user receives an invitation email and must finish the account activation process.</span>

##### **<span class="f_Heading3">For ESET PROTECT Hub</span>**

Follow the steps below to create the dedicated API user account:

1. <span class="f_NormalList">Log in as a Superuser to your </span><span class="f_UI">ESET PROTECT Hub</span><span class="f_NormalList"> account.</span>
2. <span class="f_NormalList">Navigate to </span><span class="f_UI">Users</span><span class="f_NormalList"> and add a new user.</span>
3. Under the <span class="f_UI">Permissions</span> section, enable the toggle next to <span class="f_UI">Integrations</span>.[![image.png](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2024-11/scaled-1680-/opgDzC1d93odlwX4-image.png)](https://cytechint-docs-bookstack.s3.amazonaws.com/uploads/images/gallery/2024-11/opgDzC1d93odlwX4-image.png)
4. <span class="f_NormalList">Click </span><span class="f_UI">Next</span><span class="f_NormalList"> and then click </span><span class="f_UI">Create</span><span class="f_NormalList"> to apply the changes.</span>
5. <span class="f_NormalList">The new user receives an invitation email and must finish the account activation process.</span>

---

#### **<span class="f_Heading1">How to Configure Syslog Server</span>**

If you have a Syslog server running in your network, you can Export logs to Syslog to receive certain events (Detection Event, Firewall Aggregated Event, HIPS Aggregated Event, etc.) from client computers running ESET Endpoint Security.

**To enable the Syslog server:**

1. Click <span class="f_UI">More</span> &gt; <span class="f_UI">Settings</span> &gt; <span class="f_UI">Syslog</span> and click the toggle next to <span class="f_UI">Enable Syslog sending</span>.
2. Specify the following mandatory settings:

- <span class="f_UI">Format of payload</span><span class="f_NormalList">: **JSON**, **LEEF** or **CEF**</span>
- <span class="f_UI">Format of envelope</span><span class="f_NormalList"> of the log: </span>**<span class="f_UI">BSD</span>**<span class="f_NormalList"> (specification), </span>**<span class="f_UI">Syslog</span>**<span class="f_NormalList"> (specification)</span>
- <span class="f_UI">Minimal log level: </span>**<span class="f_UI">Information</span>**<span class="f_NormalList">, </span>**<span class="f_UI">Warning</span>**<span class="f_NormalList">, </span>**<span class="f_UI">Error</span>**<span class="f_NormalList"> or </span>**<span class="f_UI">Critical</span>**
- <span class="f_UI">Event type of logs: </span><span class="f_NormalList">Select the type of logs you want to include **(**</span>**<span class="f_UI">Antivirus</span><span class="f_NormalList">, </span><span class="f_UI">HIPS</span><span class="f_NormalList">, </span><span class="f_UI">Firewall</span><span class="f_NormalList">, </span><span class="f_UI">Web protection</span><span class="f_NormalList">, </span><span class="f_UI">Audit Log</span><span class="f_NormalList">, </span><span class="f_UI">Blocked files</span><span class="f_NormalList">, </span><span class="f_UI">ESET Inspect alerts</span><span class="f_NormalList">).</span>**
- <span class="f_UI">**Destination IP or FQDN of TLS-compatible syslog server:** </span><span class="f_NormalList">IPv4 address or hostname of the destination for Syslog messages</span>
- **<span class="f_UI">Validate CA Root certificates of TLS connections: </span>**Click the toggle to enable the certificate validation for the connection between your Syslog server and ESET PROTECT. After enabling the validation, a new text field will be displayed where you can copy and paste the required certificate chain. The server certificate must meet the following requirements: 
    - The whole certificate chain in PEM format is uploaded and saved in the Syslog export configuration (this includes root CA, as there are no built-in trusted certificates)
    - Your Syslog server's certificate provides a Subject Alternative Name extension (DNS=/IP=), in which at least one record corresponds to the FQDN/IP hostname configuration.

> You need the certification authority version 3 (and later) with the Basic Constraints certificate extension to pass the validation.
> 
> The validation of TLS connections applies only to the certificates. Disabling the validation does not affect the TLS settings of ESET PROTECT.

<div id="bkmrk--5"><div>  
</div></div>After making the applicable changes, click **<span class="f_UI">Apply settings</span>**. The configuration becomes effective in 10 minutes.

<div id="bkmrk--6"></div>> <div>The regular application log file is constantly being written to. Syslog only serves as a medium to export certain asynchronous events, such as notifications or various client computer events.</div>

<div id="bkmrk--7"></div><div id="bkmrk-if-you-need-further-">*If you need further assistance, kindly contact our support at <support@cytechint.com> for prompt assistance and guidance.*</div>