Avast
Ship Avast System logs to logstash
Follow this step by step guide to get 'logs' from your system to Logit.io:
Step 1 - Check log output location
Antivirus Clients Unmanaged
C:\ProgramData\AVAST Software\Avast\log\
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\
Antivirus Clients Managed
C:\Program Files (x86)\AVAST Software\Business Agent\log.txt
C:\Program Files (x86)\AVAST Software\Business Agent\smbpol.db
MacOS X
/var/log/system.log
Component Logs
Avastsvc (core service log): C:\ProgramData\AVAST Software\Avast\log\AvastSvc.log
Antivirus UI log (issues with UI start, popups etc listed here): C:\ProgramData\AVAST Software\Avast\log\AvastUI.log
Antivirus UI javascript content: C:\ProgramData\AVAST Software\Avast\log\HtmlRemoteContent.log
Dumps from Crashed Components: C:\ProgramData\AVAST Software\Avast\log\unp*.mdmp
Self-Defense Module: C:\ProgramData\AVAST Software\Avast\log\selfdef.log
Anti-rootkit protection (driver start/stop): C:\ProgramData\AVAST Software\Avast\log\arpot.log
Anti-rootkit scan: C:\ProgramData\AVAST Software\Avast\log\aswAr*.log
Anti-Spam: C:\ProgramData\AVAST Software\Avast\log\SpamEngine.log
CyberCapture/DeepScreen: C:\ProgramData\AVAST Software\Avast\log\autosandbox.log
Exchange Protection: C:\ProgramData\Avast Software\Avast\log\ExchangeShield.log
Firewall Configuration: C:\ProgramData\AVAST Software\Avast\log\FwServ.log
Mail Shield: C:\ProgramData\AVAST Software\Avast\log\Mail.log
Outlook addin: C:\ProgramData\AVAST Software\Avast\log\asOutExt64.log
Passwords: C:\ProgramData\AVAST Software\Avast\log\Pam.log
Patch Management: C:\ProgramData\Avast Software\PatchTools\History\*.zip
SecureDNS/Real Site: C:\ProgramData\AVAST Software\Avast\log\aswSecDns.log
SecureLine VPN: C:\ProgramData\AVAST Software\SecureLine\log\vpn_engine.log
Web Shield: C:\ProgramData\AVAST Software\Avast\log\StreamFilter.log
Web Shield Debug (debug logging must be enabled): C:\ProgramData\AVAST Software\Avast\log\FilterEngine.log
Network Inspector: C:\ProgramData\AVAST Software\Avast\log\Hns.log
Windows Security Center (registration of Avast to WSC): C:\ProgramData\AVAST Software\Avast\log\wsc.log
Step 2 - Install Filebeat
- Windows
- Linux
- macOS
- DEB
- RPM
To get started you will need to install filebeat. To do this you have two main options:
- Choose the filebeat ZIP file (Windows ZIP x86_64) or
- Choose the Microsoft Software Installer MSI file (Windows MSI x86_64 (beta))
If you have chosen to download the zip file:
- Extract the contents of the zip file into C:\Program Files.
- Rename the extracted folder to filebeat
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'
.\install-service-filebeat.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
For more information about Powershell execution policies see here
If you have chosen to download the filebeat.msi file:
- double-click on it and the relevant files will be downloaded.
At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:
.\install-service-filebeat.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
For more information about Powershell execution policies see here
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (arm64)
You can tell if you have a Linux PC with an AMD / Intel CPU (kernel) architecture by opening a terminal and running the uname -m command. If it displays x86_64 you have AMD / Intel architecture.
If you have an x86_64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-x86_64.tar.gz
tar xzvf filebeat-8.12.2-linux-x86_64.tar.gz
If you have an arm64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-arm64.tar.gz
tar xzvf filebeat-8.12.2-linux-arm64.tar.gz
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (aarch64)
You can tell if you have a Mac with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.
If you have an x86_64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-x86_64.tar.gz
tar xzvf filebeat-8.12.2-darwin-x86_64.tar.gz
If you have an aarch64 system download and extract the contents of the file using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-aarch64.tar.gz
tar xzvf filebeat-8.12.2-darwin-aarch64.tar.gz
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (aarch64)
You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.
If you have an x86_64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-amd64.deb
sudo dpkg -i filebeat-8.12.2-amd64.deb
If you have an aarch64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-arm64.deb
sudo dpkg -i filebeat-8.12.2-arm64.deb
To get started you will need to install filebeat. To do this you have two main options:
- Choose the AMD / Intel file (x86_64) or
- Choose the ARM file (aarch64)
You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.
If you have an x86_64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-x86_64.rpm
sudo rpm -vi filebeat-8.12.2-x86_64.rpm
If you have an aarch64 system download and install filebeat using the following commands:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-aarch64.rpm
sudo rpm -vi filebeat-8.12.2-aarch64.rpm
Step 3 - Configure Filebeat
Copy and use the Filebeat configuration below.
# ============================== Filebeat inputs ==============================
filebeat.inputs:
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt
fields:
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
type: pattern
pattern: '(\d\d/\d\d/\d\d\d\d)'
negate: true
match: after
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt
fields:
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\* Avast Scan Report'
negate: true
match: after
ignore_older: 3h
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\aswBoot.txt
fields:
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of'
negate: true
match: after
ignore_older: 3h
- type: log
paths:
- C:\ProgramData\Avast Software\Avast\report\WebShield.txt
fields:
type: avast
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^\*\n\* Avast Real-time Shield Scan Report'
negate: true
match: after
ignore_older: 3h
filebeat.registry.path: 'C:\ProgramData\Filebeat'
# ================================== Outputs ===================================
<div class="sw-warning">
<div>
<img src="/images/source-wizard/warning-triangle.svg">
</div>
<div>
<b>No input available! </b> Your stack is missing the required input for this data source <a href="#" onclick="Intercom('showNewMessage')" class="btn btn-info btn-sm">Talk to support to add the input</a>
</div>
</div>
Step 4 - Start filebeat
- Windows
- Linux
- macOS
- DEB
- RPM
To start Filebeat, run in Powershell:
Start-Service filebeat
To start Filebeat, run:
sudo chown root filebeat.yml
sudo chown root modules.d/{modulename}.yml
sudo ./filebeat -e
You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.
To start Filebeat, run:
sudo chown root filebeat.yml
sudo chown root modules.d/{modulename}.yml
sudo ./filebeat -e
You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.
To start Filebeat, run:
sudo service filebeat start
To start Filebeat, run:
sudo service filebeat start
Step 5 - Check Logit.io for your logs
Data should now have been sent to your Stack.
If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.
Step 6 - how to diagnose no data in Stack
If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.