Reading Gravity Zone Syslog

ShoresempaiShoresempai
in General

I am writing a Python program to read Gravity Zone syslogs and wondering about the log structure. I understand that Gravity Zone can produce different events (Malware detection events, phishing/fraud events, etc.)

I am trying to understand if those events have some sort of header that identifies the event type or are these events placed into different logs?

For example, here is a log snippet (from the Gravity Zone manual), but other than read the raw JSON, how does someone know that this is a malware event? Is there a header? Is there a "type_of_event" field somewhere? Reading the raw JSCON to see if the word "malware" appears as a field seems sub-optimal, so just wondering if I am missing something?

Here is the sample JSON - yes I can kind of figure out that the this is a malware event due to the malware_type field, but I would rather say "If event_type = 'malware_event' - but I don't see anywhere in the syslog samples where that is possible.

If anyone has a tool they are using to read these logs, would love to hear your approach...thank you in advance.

Mar 15 23:04:56 gz gravityzone: [av] {"computer_name":"DEMO-W7-11","computer_ip" :"192.168.5.137","computer_id":"532806300678598e738b4571","product_installed":"E PS","malware_type":"file","malware_name":"BAT.Trojan.FormatC.Z","file_path":"C:\ \Users\\username\\Desktop\\New Text Document.txt","final_status":"quarantined"," timestamp":"2015-03-15T21:04:49.000Z","module":"av"} 

Tagged:

Answers

Sign In or Register to comment.