Want to ingest BitDefender Total scan log

482 views
Skip to first unread message

vbgf3 vbgf3

unread,
Apr 27, 2022, 5:09:14 PM4/27/22
to wa...@googlegroups.com
Hi, 

I want to make Wazuh pick up BitDefender Total's antivirus scan log. I have found the log location: C:\ProgramData\Bitdefender\Desktop\Profiles\Logs\S-1-5-21-137099556-307844384-1205082835-1001. All the Custom ( scheduled scan ) logs go in there. 

But I don't know what log_format to specify. It is just an xml file, but nothing in the reference material : localfile - Local configuration (ossec.conf) · Wazuh documentation seems to apply. 

I am including the file below.

Also I am not sure how Wazuh will deal with the folder I provide. Will it pick up the latest file automatically? 

I still need to read up on how to create a rule for this. 

Thanks in advance.
1651084200_1_01.xml

Jesus Linares

unread,
Apr 28, 2022, 4:40:51 AM4/28/22
to Wazuh mailing list
Hi,

At this moment, Wazuh doesn't decode XML log files. I would recommend researching the following options:

Check BitDefender settings
I'm not really familiar with BitDefender, but you should check if you can enable one of the following options:
  1. Create the log files in .log (txt format) or .json. In this way, you can read the log usin json/syslog format.
  2. Create the log in Microsoft Windows event logs. In this way, you can use the event channel format.
Custom parser
If the above is not possible, you can create your custom parse:
  1. Create/find a parser from XML to JSON (Python script, Powershell, etc).
  2. Use the command feature to run the parser each day (or any other desired frequency).
  3. Read the JSON file using the JSON format.
  4. Create the BitDefender rules.
I hope it helps.
Reply all
Reply to author
Forward
0 new messages