Start your 14-day free trial today

No Credit Card Required

Try Logit.io Free

Already have an account? Sign In

Send data via Avast to your Logstash instance provided by Logit.io

Avast

Ship Avast System logs to logstash

Step 1 - Check log output locationCopy

Antivirus Clients Unmanaged

C:\ProgramData\AVAST Software\Avast\log\
C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\

Antivirus Clients Managed

C:\Program Files (x86)\AVAST Software\Business Agent\log.txt
C:\Program Files (x86)\AVAST Software\Business Agent\smbpol.db

MacOS X

/var/log/system.log

Component Logs

Avastsvc (core service log): C:\ProgramData\AVAST Software\Avast\log\AvastSvc.log
Antivirus UI log (issues with UI start, popups etc listed here): C:\ProgramData\AVAST Software\Avast\log\AvastUI.log
Antivirus UI javascript content: C:\ProgramData\AVAST Software\Avast\log\HtmlRemoteContent.log
Dumps from Crashed Components: C:\ProgramData\AVAST Software\Avast\log\unp*.mdmp
Self-Defense Module: C:\ProgramData\AVAST Software\Avast\log\selfdef.log
Anti-rootkit protection (driver start/stop): C:\ProgramData\AVAST Software\Avast\log\arpot.log
Anti-rootkit scan: C:\ProgramData\AVAST Software\Avast\log\aswAr*.log
Anti-Spam: C:\ProgramData\AVAST Software\Avast\log\SpamEngine.log
CyberCapture/DeepScreen: C:\ProgramData\AVAST Software\Avast\log\autosandbox.log
Exchange Protection: C:\ProgramData\Avast Software\Avast\log\ExchangeShield.log
Firewall Configuration: C:\ProgramData\AVAST Software\Avast\log\FwServ.log
Mail Shield: C:\ProgramData\AVAST Software\Avast\log\Mail.log
Outlook addin: C:\ProgramData\AVAST Software\Avast\log\asOutExt64.log
Passwords: C:\ProgramData\AVAST Software\Avast\log\Pam.log
Patch Management: C:\ProgramData\Avast Software\PatchTools\History\*.zip
SecureDNS/Real Site: C:\ProgramData\AVAST Software\Avast\log\aswSecDns.log
SecureLine VPN: C:\ProgramData\AVAST Software\SecureLine\log\vpn_engine.log
Web Shield: C:\ProgramData\AVAST Software\Avast\log\StreamFilter.log
Web Shield Debug (debug logging must be enabled): C:\ProgramData\AVAST Software\Avast\log\FilterEngine.log
Network Inspector: C:\ProgramData\AVAST Software\Avast\log\Hns.log
Windows Security Center (registration of Avast to WSC): C:\ProgramData\AVAST Software\Avast\log\wsc.log

Step 2 - Install FilebeatCopy

deb (Debian/Ubuntu/Mint)

curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.15.1-amd64.deb
sudo dpkg -i -oss-7.15.1-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.15.1-x86_64.rpm
sudo rpm -vi -oss-7.15.1-x86_64.rpm

macOS

curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.15.1-darwin-x86_64.tar.gz
tar xzvf -oss-7.15.1-darwin-x86_64.tar.gz

Windows

  • Download and extract the Windows zip file.
  • Rename the -<version>-windows directory to ``.
  • Open a PowerShell prompt as an Administrator.
  • Run the following to install as a Windows service:
.\install-service-.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-.ps1.
My OS isn't here! Chat to support now

Step 3 - Configure FilebeatCopy

Copy and use the Filebeat configuration below.

For use with version 7.x Filebeats.
# ============================== Filebeat inputs ==============================
filebeat.inputs:

- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt
  fields:
   type: avast
 fields_under_root: true
 encoding: utf-8
 ignore_older: 3h
 multiline:
   type: pattern 
   pattern: '(\d\d/\d\d/\d\d\d\d)' 
   negate: true 
   match: after

- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\Full Virus Scan.txt
  fields:
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\* Avast Scan Report'
   negate: true
   match: after
  ignore_older: 3h

- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\aswBoot.txt
  fields:
   type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\d{2}\/\d{2}\/\d{4} \d{2}:\d{2}\nScan of'
   negate: true
   match: after
  ignore_older: 3h

- type: log
  paths:
    - C:\ProgramData\Avast Software\Avast\report\WebShield.txt
  fields:
    type: avast
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
   pattern: '^\*\n\* Avast Real-time Shield Scan Report'
   negate: true
   match: after
  ignore_older: 3h

filebeat.registry.path: 'C:\ProgramData\Filebeat'

# ================================== Outputs ===================================
<div class="sw-warning">
    <b>No input available! </b> Your stack is missing the required input for this data source <a href="#" onclick="Intercom('showNewMessage')" class="btn btn-info btn-sm">Talk to support to add the input</a>
</div> 

Step 4 - Start FilebeatCopy

Ok, time to start ingesting data!

deb/rpm

sudo systemctl enable filebeat
sudo systemctl start filebeat

macOS

./filebeat

Windows

PS C:\Program Files\Filebeat> Start-Service filebeat

Step 5 - how to diagnose no data in StackCopy

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Toggle View

Expand View

Return to Search

© 2022 Logit.io Ltd, All rights reserved.