Avast Antivirus is a family of cross-platform internet security applications. This topic describes how to send system logs from your Avast Antivirus platform to Logz.io.
Before you begin, you’ll need:
- Avast Antivirus installed on your machine
- An active account with Logz.io
- Filebeat installed on your machine
- Root priveleges on your machines
Default configuration
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
- Paste the following into the inputs section of the Filebeat configuration file:
Filebeat requires a file extension specified for the log input.
filebeat.inputs:
- type: filestream
paths:
- C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
type: pattern
pattern: '(\d\d/\d\d/\d\d\d\d)'
negate: true
match: after
- type: filestream
paths:
- C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\* Avast Scan Report'
negate: true
match: after
ignore_older: 3h
- type: filestream
paths:
- C:\ProgramData\Avast Software\Avast\report\aswBoot.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of'
negate: true
match: after
ignore_older: 3h
- type: filestream
paths:
- C:\ProgramData\Avast Software\Avast\report\WebShield.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\*\n\* Avast Real-time Shield Scan Report'
negate: true
match: after
ignore_older: 3h
filebeat.registry.path: 'C:\ProgramData\Filebeat'
processors:
- rename:
fields:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
output:
logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['C:\ProgramData\Elastic\Beats\filebeat\Logzio.crt']
If you’re running Filebeat 7 to 8.1, paste the code block below instead:
filebeat.inputs:
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
type: pattern
pattern: '(\d\d/\d\d/\d\d\d\d)'
negate: true
match: after
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\* Avast Scan Report'
negate: true
match: after
ignore_older: 3h
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\aswBoot.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of'
negate: true
match: after
ignore_older: 3h
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\WebShield.txt
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\*\n\* Avast Real-time Shield Scan Report'
negate: true
match: after
ignore_older: 3h
filebeat.registry.path: 'C:\ProgramData\Filebeat'
processors:
- rename:
fields:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
output:
logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['C:\ProgramData\Elastic\Beats\filebeat\Logzio.crt']
- Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
- Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
- Run Filebeat with the new configuration.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type avast to see the incoming Axonius logs.
If you still don’t see your logs, see Filebeat troubleshooting.
Optional configuration with report files
Configure Avast Antivirus to generate report files for your scans
If you want to send data from virus scans together with the logs, you need to enable Avast Antivirus to generate report files for these scans. You do not need to change antything in the Filebeat configuration as it already includes paths to these report files.
To enable this:
- Open Avast Antivirus.
- Navigate to Menu > Settings > Protection > Virus Scans > Full Virus Scan.
- Check the Generate report file checkbox.
- Navigate to Targeted Scan.
- Check the Generate report file checkbox.
- Navigate to Explorer Scan.
- Check the Generate report file checkbox.