[eset_protect]: Syslog broken on v9 Elastic Agent

[dmaasland]

Integration Name

ESET PROTECT [eset_protect]

Dataset Name

No response

Integration Version

1.11.0

Agent Version

9.2.0

Agent Output Type

elasticsearch

Elasticsearch Version

9.2.0

OS Version and Architecture

Kubernetes

Software/API Version

No response

Error Message

When using syslog on the ESET PROTECT integration on a v9.2 elastic agent, syslog messages become fragmented and parsing fails. Sometimes multiple messages will be combined into one, sometimes messages will have either the beginning or the end cut off.

Event Original

":""Information""}
<14>1 2025-11-03T11:15:08.064231Z b1708952-fb6c-48f8-a78f-fa08ae9f582b ERAServer 8999 - - {""occured"":""03-Nov-2025 11:12:44"",""domain"":""ESET Inspect"",""action"":""Detections"",""result"":""Success"",""detail"":""Detection \""Firewall resolved"",""event_type"":""Audit_Event"",""severity"":""Infor"

What did you do?

I've tried adding:

framing: delimiter
delimiter: \n

But that has not solved the issue. It does work for some of the events. But will now also split a message when a powershell script with "\n" in it is sent for example. Using the exact same integration policy on an older agent (8.19.5) works as expected.

What did you see?

The end of one message and the start of a second message

What did you expect to see?

One whole message

Anything else?

No response

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[dmaasland]

I realized just now that '\n' matches the string literal \n, not an actual newline. Still, the out of the box configuration fails on v9 agents.

[efd6]

I assume that you are having problems with the event data stream. Is that correct?

The default configuration for the input (which is what is used in the default case by the events data stream) uses \n as the line delimiter, so adding a delimiter: "\n" is not expected to make any change in behaviour (the default framing type is "delimiter", so this is also expected to work OotB).

It would be helpful to see the actual data that is being sent over TCP to avoid addition of syntax and to see the exact bytes that are sent. This can be done by setting up an nc listener on the port you are sending the ESET data to and capturing the raw bytes, or by using a packet capture. The (sanitised) configuration for the data stream would also be helpful.

[dmaasland]

I've created a little debug script to reproduce this. It just sends a couple of messages multiple times. The only thing I changed is the version of the elastic-agent container. From 8.19.5 to 9.2.0. Here is the script:

#!/usr/bin/env python

import json
import socket
import ssl
from uuid import uuid4

ELASTIC_AGENT_HOST = "<elastic-agent-ssl-address>"
ELASTIC_AGENT_PORT = 6514
SSL = True
TIMES_TO_SEND = 100


SYSLOG_HEADER = b"<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - "
MESSAGES = [
    {
        "occured": "04-Nov-2025 09:33:03",
        "domain": "ESET LiveGuard",
        "action": "Deploy",
        "result": "Success",
        "detail": "Enabling on selected targets.",
        "event_type": "Audit_Event",
        "severity": "Information",
    },
    {
        "source_uuid": "9e3571e9-c58d-446a-ba90-b8ee0bafa979",
        "occured": "03-Nov-2025 13:19:50",
        "threat_type": "Test file",
        "threat_name": "Eicar",
        "threat_flags": "",
        "scanner_id": "Real-time file system protection",
        "scan_id": "virlog.dat",
        "object_type": "File",
        "object_uri": "file:///C:/Users/Tuvok/Desktop/detect me.txt",
        "action_taken": "Cleaned by deleting",
        "action_error": "",
        "threat_handled": "true",
        "need_restart": "false",
        "username": "Voyager\\Tuvok",
        "processname": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe",
        "circumstances": "Event occurred on a modified file.",
        "engine_version": "32129 (20251103)",
        "firstseen": "03-Nov-2025 13:18:57",
        "hash": "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575",
        "detection_uuid": "6ed159ec-ab53-f64f-05b6-613cfa058f7c",
        "ipv4": "192.168.234.128",
        "ipv6": "fe80::4b4a:a154:2097:9558",
        "hostname": "Voyager",
        "os_name": "Microsoft Windows 11 Pro",
        "group_name": "All/Companies/ESETNL Business Support DEMO/United Federation of Planets",
        "group_description": "A static group created automatically via synchronization",
        "event_type": "Threat_Event",
        "severity": "Warning",
    },
]


def main() -> None:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    if SSL:
        context = ssl.create_default_context()
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE
        sock = context.wrap_socket(sock, server_hostname=ELASTIC_AGENT_HOST)

    try:
        try:
            sock.connect((ELASTIC_AGENT_HOST, ELASTIC_AGENT_PORT))
        except ssl.SSLError as e:
            print(f"SSL handshake error ignored: {e}")
            # Continue anyway
        except Exception as e:
            print(f"Connection error: {e}")
            return

        for message in MESSAGES:
            syslog_message = (
                SYSLOG_HEADER + json.dumps(message).encode("utf-8-sig") + b"\n"
            )
            for i in range(TIMES_TO_SEND):
                try:
                    sock.sendall(syslog_message)
                    print(f"Sent: {syslog_message}")
                except Exception as e:
                    print(f"Send error: {e}")

        # Gracefully close the connection
        if SSL:
            sock.unwrap()  # Close SSL layer first

    finally:
        # Always close the socket, even if an error occurred
        try:
            sock.close()
            print("Connection closed")
        except Exception as e:
            print(f"Error closing socket: {e}")


if __name__ == "__main__":
    main()

Here is the output (raw bytes):

[..]
Sent: b'<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - \xef\xbb\xbf{"occured": "04-Nov-2025 09:33:03", "domain": "ESET LiveGuard", "action": "Deploy", "result": "Success", "detail": "Enabling on selected targets.", "event_type": "Audit_Event", "severity": "Information"}\n'
Sent: b'<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - \xef\xbb\xbf{"occured": "04-Nov-2025 09:33:03", "domain": "ESET LiveGuard", "action": "Deploy", "result": "Success", "detail": "Enabling on selected targets.", "event_type": "Audit_Event", "severity": "Information"}\n'
Sent: b'<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - \xef\xbb\xbf{"occured": "04-Nov-2025 09:33:03", "domain": "ESET LiveGuard", "action": "Deploy", "result": "Success", "detail": "Enabling on selected targets.", "event_type": "Audit_Event", "severity": "Information"}\n'
Sent: b'<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - \xef\xbb\xbf{"source_uuid": "9e3571e9-c58d-446a-ba90-b8ee0bafa979", "occured": "03-Nov-2025 13:19:50", "threat_type": "Test file", "threat_name": "Eicar", "threat_flags": "", "scanner_id": "Real-time file system protection", "scan_id": "virlog.dat", "object_type": "File", "object_uri": "file:///C:/Users/Tuvok/Desktop/detect me.txt", "action_taken": "Cleaned by deleting", "action_error": "", "threat_handled": "true", "need_restart": "false", "username": "Voyager\\\\Tuvok", "processname": "C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe", "circumstances": "Event occurred on a modified file.", "engine_version": "32129 (20251103)", "firstseen": "03-Nov-2025 13:18:57", "hash": "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575", "detection_uuid": "6ed159ec-ab53-f64f-05b6-613cfa058f7c", "ipv4": "192.168.234.128", "ipv6": "fe80::4b4a:a154:2097:9558", "hostname": "Voyager", "os_name": "Microsoft Windows 11 Pro", "group_name": "All/Companies/ESETNL Business Support DEMO/United Federation of Planets", "group_description": "A static group created automatically via synchronization", "event_type": "Threat_Event", "severity": "Warning"}\n'
Sent: b'<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - \xef\xbb\xbf{"source_uuid": "9e3571e9-c58d-446a-ba90-b8ee0bafa979", "occured": "03-Nov-2025 13:19:50", "threat_type": "Test file", "threat_name": "Eicar", "threat_flags": "", "scanner_id": "Real-time file system protection", "scan_id": "virlog.dat", "object_type": "File", "object_uri": "file:///C:/Users/Tuvok/Desktop/detect me.txt", "action_taken": "Cleaned by deleting", "action_error": "", "threat_handled": "true", "need_restart": "false", "username": "Voyager\\\\Tuvok", "processname": "C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe", "circumstances": "Event occurred on a modified file.", "engine_version": "32129 (20251103)", "firstseen": "03-Nov-2025 13:18:57", "hash": "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575", "detection_uuid": "6ed159ec-ab53-f64f-05b6-613cfa058f7c", "ipv4": "192.168.234.128", "ipv6": "fe80::4b4a:a154:2097:9558", "hostname": "Voyager", "os_name": "Microsoft Windows 11 Pro", "group_name": "All/Companies/ESETNL Business Support DEMO/United Federation of Planets", "group_description": "A static group created automatically via synchronization", "event_type": "Threat_Event", "severity": "Warning"}\n'
Sent: b'<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - \xef\xbb\xbf{"source_uuid": "9e3571e9-c58d-446a-ba90-b8ee0bafa979", "occured": "03-Nov-2025 13:19:50", "threat_type": "Test file", "threat_name": "Eicar", "threat_flags": "", "scanner_id": "Real-time file system protection", "scan_id": "virlog.dat", "object_type": "File", "object_uri": "file:///C:/Users/Tuvok/Desktop/detect me.txt", "action_taken": "Cleaned by deleting", "action_error": "", "threat_handled": "true", "need_restart": "false", "username": "Voyager\\\\Tuvok", "processname": "C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe", "circumstances": "Event occurred on a modified file.", "engine_version": "32129 (20251103)", "firstseen": "03-Nov-2025 13:18:57", "hash": "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575", "detection_uuid": "6ed159ec-ab53-f64f-05b6-613cfa058f7c", "ipv4": "192.168.234.128", "ipv6": "fe80::4b4a:a154:2097:9558", "hostname": "Voyager", "os_name": "Microsoft Windows 11 Pro", "group_name": "All/Companies/ESETNL Business Support DEMO/United Federation of Planets", "group_description": "A static group created automatically via synchronization", "event_type": "Threat_Event", "severity": "Warning"}\n'
[..]

v8 output

Full doc, parsed correctly:

{
  "_index": ".ds-logs-eset_protect.event-demolab-2025.10.29-000095",
  "_id": "UX1jTpoBDxssi_j47byW",
  "_version": 1,
  "_source": {
    "agent": {
      "name": "elastic-agent-demolab-5c54bfb76-bjfqm",
      "id": "831e5aa4-9f03-49a8-959c-9961139c5f63",
      "ephemeral_id": "09ffe069-d6be-4f00-961b-80bc7cfd26c7",
      "type": "filebeat",
      "version": "8.19.5"
    },
    "process": {
      "name": "Notepad.exe",
      "executable": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe"
    },
    "log": {
      "source": {
        "address": "10.224.0.149:40062"
      },
      "syslog": {
        "severity": {
          "code": 6,
          "name": "Informational"
        },
        "hostname": "005a212b-c0bf-40ab-93a0-f757129c0e81",
        "appname": "ERAServer",
        "procid": "8999",
        "priority": 14,
        "version": "1",
        "facility": {
          "code": 1,
          "name": "user-level"
        }
      }
    },
    "elastic_agent": {
      "id": "831e5aa4-9f03-49a8-959c-9961139c5f63",
      "version": "8.19.5",
      "snapshot": false
    },
    "tags": [
      "preserve_original_event",
      "customer.eset-mdr.nl/demolab",
      "eset_protect-event",
      "forwarded",
      "terraform-managed"
    ],
    "cloud": {
      "instance": {
        "name": "aks-userpool-84077292-vmss_73",
        "id": "b840d0ab-6b2b-4dc2-a9ee-1d5a5f5b59f6"
      },
      "provider": "azure",
      "machine": {
        "type": "Standard_D4s_v3"
      },
      "service": {
        "name": "Virtual Machines"
      },
      "region": "westeurope",
      "account": {
        "id": "addbd166-b2b1-471f-bda3-fb69e1a2ea39"
      }
    },
    "input": {
      "type": "tcp"
    },
    "@timestamp": "2025-11-03T13:19:50.000Z",
    "file": {
      "path": "C:/Users/Tuvok/Desktop/detect me.txt",
      "drive_letter": "C",
      "name": "detect me.txt",
      "type": "file",
      "directory": "/Users/Tuvok/Desktop/",
      "hash": {
        "sha1": "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
      }
    },
    "ecs": {
      "version": "8.11.0"
    },
    "related": {
      "hosts": [
        "voyager",
        "Voyager",
        "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
      ],
      "ip": [
        "192.168.234.128",
        "fe80::4b4a:a154:2097:9558"
      ],
      "user": [
        "Tuvok"
      ],
      "hash": [
        "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
      ]
    },
    "data_stream": {
      "namespace": "demolab",
      "type": "logs",
      "dataset": "eset_protect.event"
    },
    "host": {
      "hostname": "Voyager",
      "os": {
        "name": "Microsoft Windows 11 Pro"
      },
      "ip": [
        "192.168.234.128",
        "fe80::4b4a:a154:2097:9558"
      ],
      "name": "voyager",
      "id": "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
    },
    "threat": {
      "indicator": {
        "first_seen": "2025-11-03T13:18:57.000Z",
        "file": {
          "hash": {
            "sha1": "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
          }
        },
        "provider": "ESET PROTECT",
        "name": "Eicar",
        "type": "file"
      }
    },
    "event": {
      "agent_id_status": "verified",
      "reason": "Event occurred on a modified file.",
      "ingested": "2025-11-04T10:22:43Z",
      "original": "{\"source_uuid\": \"9e3571e9-c58d-446a-ba90-b8ee0bafa979\", \"occured\": \"03-Nov-2025 13:19:50\", \"threat_type\": \"Test file\", \"threat_name\": \"Eicar\", \"threat_flags\": \"\", \"scanner_id\": \"Real-time file system protection\", \"scan_id\": \"virlog.dat\", \"object_type\": \"File\", \"object_uri\": \"file:///C:/Users/Tuvok/Desktop/detect me.txt\", \"action_taken\": \"Cleaned by deleting\", \"action_error\": \"\", \"threat_handled\": \"true\", \"need_restart\": \"false\", \"username\": \"Voyager\\\\Tuvok\", \"processname\": \"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe\", \"circumstances\": \"Event occurred on a modified file.\", \"engine_version\": \"32129 (20251103)\", \"firstseen\": \"03-Nov-2025 13:18:57\", \"hash\": \"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\", \"detection_uuid\": \"6ed159ec-ab53-f64f-05b6-613cfa058f7c\", \"ipv4\": \"192.168.234.128\", \"ipv6\": \"fe80::4b4a:a154:2097:9558\", \"hostname\": \"Voyager\", \"os_name\": \"Microsoft Windows 11 Pro\", \"group_name\": \"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\", \"group_description\": \"A static group created automatically via synchronization\", \"event_type\": \"Threat_Event\", \"severity\": \"Warning\"}",
      "kind": "alert",
      "action": "cleaned-by-deleting",
      "category": [
        "threat"
      ],
      "type": [
        "indicator"
      ],
      "dataset": "eset_protect.event"
    },
    "user": {
      "domain": "Voyager",
      "name": "Tuvok"
    },
    "eset_protect": {
      "event": {
        "type": "Threat_Event",
        "scanner_id": "Real-time file system protection",
        "threat_handled": true,
        "need_restart": false,
        "threat_type": "Test file",
        "is_handled": false,
        "severity": "Warning",
        "object_type": "File",
        "action_taken": "Cleaned by deleting",
        "object_uri": "file:///C:/Users/Tuvok/Desktop/detect me.txt",
        "detection_uuid": "6ed159ec-ab53-f64f-05b6-613cfa058f7c",
        "scan_id": "virlog.dat",
        "engine_version": "32129 (20251103)",
        "group_description": "A static group created automatically via synchronization",
        "hash": "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575",
        "username": "Voyager\\Tuvok"
      }
    },
    "group": {
      "name": "All/Companies/ESETNL Business Support DEMO/United Federation of Planets"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "8.19.5"
    ],
    "event.category": [
      "threat"
    ],
    "host.os.name.text": [
      "Microsoft Windows 11 Pro"
    ],
    "eset_protect.event.severity": [
      "Warning"
    ],
    "host.hostname": [
      "Voyager"
    ],
    "threat.indicator.provider": [
      "ESET PROTECT"
    ],
    "eset_protect.event.need_restart": [
      false
    ],
    "eset_protect.event.action_taken": [
      "Cleaned by deleting"
    ],
    "log.syslog.facility.name": [
      "user-level"
    ],
    "threat.indicator.name": [
      "Eicar"
    ],
    "agent.name.text": [
      "elastic-agent-demolab-5c54bfb76-bjfqm"
    ],
    "cloud.service.name.text": [
      "Virtual Machines"
    ],
    "log.syslog.severity.name": [
      "Informational"
    ],
    "agent.name": [
      "elastic-agent-demolab-5c54bfb76-bjfqm"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "group.name": [
      "All/Companies/ESETNL Business Support DEMO/United Federation of Planets"
    ],
    "file.path.text": [
      "C:/Users/Tuvok/Desktop/detect me.txt"
    ],
    "cloud.region": [
      "westeurope"
    ],
    "group.name.text": [
      "All/Companies/ESETNL Business Support DEMO/United Federation of Planets"
    ],
    "input.type": [
      "tcp"
    ],
    "related.user": [
      "Tuvok"
    ],
    "tags": [
      "preserve_original_event",
      "customer.eset-mdr.nl/demolab",
      "eset_protect-event",
      "forwarded",
      "terraform-managed"
    ],
    "cloud.machine.type": [
      "Standard_D4s_v3"
    ],
    "cloud.provider": [
      "azure"
    ],
    "agent.id": [
      "831e5aa4-9f03-49a8-959c-9961139c5f63"
    ],
    "log.source.address": [
      "10.224.0.149:40062"
    ],
    "eset_protect.event.engine_version": [
      "32129 (20251103)"
    ],
    "threat.indicator.type": [
      "file"
    ],
    "eset_protect.event.type": [
      "Threat_Event"
    ],
    "log.syslog.hostname": [
      "005a212b-c0bf-40ab-93a0-f757129c0e81"
    ],
    "user.name": [
      "Tuvok"
    ],
    "eset_protect.event.object_uri": [
      "file:///C:/Users/Tuvok/Desktop/detect me.txt"
    ],
    "eset_protect.event.scanner_id": [
      "Real-time file system protection"
    ],
    "cloud.instance.id": [
      "b840d0ab-6b2b-4dc2-a9ee-1d5a5f5b59f6"
    ],
    "host.ip": [
      "192.168.234.128",
      "fe80::4b4a:a154:2097:9558"
    ],
    "agent.type": [
      "filebeat"
    ],
    "process.executable.text": [
      "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe"
    ],
    "related.ip": [
      "192.168.234.128",
      "fe80::4b4a:a154:2097:9558"
    ],
    "eset_protect.event.threat_type": [
      "Test file"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "eset_protect.event.is_handled": [
      false
    ],
    "user.domain": [
      "Voyager"
    ],
    "host.id": [
      "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
    ],
    "file.directory": [
      "/Users/Tuvok/Desktop/"
    ],
    "log.syslog.severity.name.text": [
      "Informational"
    ],
    "elastic_agent.id": [
      "831e5aa4-9f03-49a8-959c-9961139c5f63"
    ],
    "eset_protect.event.hash": [
      "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575"
    ],
    "file.name": [
      "detect me.txt"
    ],
    "event.action": [
      "cleaned-by-deleting"
    ],
    "event.ingested": [
      "2025-11-04T10:22:43.000Z"
    ],
    "@timestamp": [
      "2025-11-03T13:19:50.000Z"
    ],
    "cloud.account.id": [
      "addbd166-b2b1-471f-bda3-fb69e1a2ea39"
    ],
    "data_stream.dataset": [
      "eset_protect.event"
    ],
    "agent.ephemeral_id": [
      "09ffe069-d6be-4f00-961b-80bc7cfd26c7"
    ],
    "log.syslog.facility.code": [
      1
    ],
    "cloud.instance.name": [
      "aks-userpool-84077292-vmss_73"
    ],
    "user.name.text": [
      "Tuvok"
    ],
    "file.path": [
      "C:/Users/Tuvok/Desktop/detect me.txt"
    ],
    "threat.indicator.first_seen": [
      "2025-11-03T13:18:57.000Z"
    ],
    "process.name.text": [
      "Notepad.exe"
    ],
    "eset_protect.event.scan_id": [
      "virlog.dat"
    ],
    "eset_protect.event.threat_handled": [
      true
    ],
    "host.name.text": [
      "voyager"
    ],
    "related.hash": [
      "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
    ],
    "event.reason": [
      "Event occurred on a modified file."
    ],
    "host.os.name": [
      "Microsoft Windows 11 Pro"
    ],
    "host.name": [
      "voyager"
    ],
    "event.kind": [
      "alert"
    ],
    "event.original": [
      "{\"source_uuid\": \"9e3571e9-c58d-446a-ba90-b8ee0bafa979\", \"occured\": \"03-Nov-2025 13:19:50\", \"threat_type\": \"Test file\", \"threat_name\": \"Eicar\", \"threat_flags\": \"\", \"scanner_id\": \"Real-time file system protection\", \"scan_id\": \"virlog.dat\", \"object_type\": \"File\", \"object_uri\": \"file:///C:/Users/Tuvok/Desktop/detect me.txt\", \"action_taken\": \"Cleaned by deleting\", \"action_error\": \"\", \"threat_handled\": \"true\", \"need_restart\": \"false\", \"username\": \"Voyager\\\\Tuvok\", \"processname\": \"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe\", \"circumstances\": \"Event occurred on a modified file.\", \"engine_version\": \"32129 (20251103)\", \"firstseen\": \"03-Nov-2025 13:18:57\", \"hash\": \"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\", \"detection_uuid\": \"6ed159ec-ab53-f64f-05b6-613cfa058f7c\", \"ipv4\": \"192.168.234.128\", \"ipv6\": \"fe80::4b4a:a154:2097:9558\", \"hostname\": \"Voyager\", \"os_name\": \"Microsoft Windows 11 Pro\", \"group_name\": \"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\", \"group_description\": \"A static group created automatically via synchronization\", \"event_type\": \"Threat_Event\", \"severity\": \"Warning\"}"
    ],
    "log.syslog.severity.code": [
      6
    ],
    "cloud.instance.name.text": [
      "aks-userpool-84077292-vmss_73"
    ],
    "eset_protect.event.detection_uuid": [
      "6ed159ec-ab53-f64f-05b6-613cfa058f7c"
    ],
    "data_stream.type": [
      "logs"
    ],
    "process.name": [
      "Notepad.exe"
    ],
    "cloud.service.name": [
      "Virtual Machines"
    ],
    "file.type": [
      "file"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "agent.version": [
      "8.19.5"
    ],
    "related.hosts": [
      "voyager",
      "Voyager",
      "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
    ],
    "eset_protect.event.username": [
      "Voyager\\Tuvok"
    ],
    "log.syslog.appname": [
      "ERAServer"
    ],
    "eset_protect.event.object_type": [
      "File"
    ],
    "file.hash.sha1": [
      "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
    ],
    "event.module": [
      "eset_protect"
    ],
    "log.syslog.priority": [
      14
    ],
    "process.executable": [
      "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe"
    ],
    "log.syslog.version": [
      "1"
    ],
    "data_stream.namespace": [
      "demolab"
    ],
    "eset_protect.event.group_description": [
      "A static group created automatically via synchronization"
    ],
    "threat.indicator.name.text": [
      "Eicar"
    ],
    "log.syslog.procid": [
      "8999"
    ],
    "file.name.text": [
      "detect me.txt"
    ],
    "file.drive_letter": [
      "C"
    ],
    "log.syslog.facility.name.text": [
      "user-level"
    ],
    "event.type": [
      "indicator"
    ],
    "threat.indicator.file.hash.sha1": [
      "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
    ],
    "event.dataset": [
      "eset_protect.event"
    ]
  }
}

v9 output

"syslog failed to process field ""message"": parsing error at position 7: unexpected EOF", "Processor grok with tag grok_event_original in pipeline logs-eset_protect.event-1.11.1 failed with message: Provided Grok expressions do not match field value: [threat_name"":""Eicar"",""threat_flags"":"""",""scanner_id"":""Real-time file system protection"",""scan_id"":""virlog.dat"",""object_type"":""File"",""object_uri"":""file:///C:/Users/Tuvok/Desktop/detect me.txt"",""action_taken"":""Cleaned by deleting"",""action_error"":"""",""threat_handled"":""true"",""need_restart"":""false"",""username"":""Voyager\Tuvok"",""processname"":""C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe"",""circumstances"":""Event occurred on a modified file."",""engine_version"":""32129 (20251103)"",""firstseen"":""03-Nov-2025 13:18:57"",""hash"":""C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575"",""detection_uuid"":""6ed159ec-ab53-f64f-05b6-613cfa058f7c"",""ipv4"":""192.168.234.128"",""ipv6"":""fe80::4b4a:a154:2097:9558"",""hostname"":""Voyager"",""os_name"":""Microsoft Windows 11 Pro"",""group_name"":""All/Companies/ESETNL Business Support DEMO/United Federation of Planets"",""group_description"":""A static group created automatically via synchronization"",""event_type"":""Threat_Event"",""severity"":""Warning""}
<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - {""source_uuid"":""9e3571e9-c58d-446a-ba90-b8ee0bafa979"",""occured"":""03-Nov-2025 13:19:50"",""threat_type"":""Test file"",]"

Full doc:

{
  "_index": ".ds-logs-eset_protect.event-demolab-2025.10.29-000095",
  "_id": "tJxWTpoBQ4zN2WvG04z7",
  "_version": 1,
  "_source": {
    "agent": {
      "name": "elastic-agent-demolab-85d467bcf4-7qxfk",
      "id": "f8e0e55d-fcea-47b4-b4e5-2d9584e167ca",
      "ephemeral_id": "9def44fd-e7dc-42f8-a2bb-b8127d481ce7",
      "type": "filebeat",
      "version": "9.2.0"
    },
    "log": {
      "source": {
        "address": "10.224.0.149:50866"
      }
    },
    "elastic_agent": {
      "id": "f8e0e55d-fcea-47b4-b4e5-2d9584e167ca",
      "version": "9.2.0",
      "snapshot": false
    },
    "error": {
      "message": [
        "syslog failed to process field \"message\": parsing error at position 7: unexpected EOF",
        "Processor grok with tag grok_event_original in pipeline logs-eset_protect.event-1.11.1 failed with message: Provided Grok expressions do not match field value: [threat_name\":\"Eicar\",\"threat_flags\":\"\",\"scanner_id\":\"Real-time file system protection\",\"scan_id\":\"virlog.dat\",\"object_type\":\"File\",\"object_uri\":\"file:///C:/Users/Tuvok/Desktop/detect me.txt\",\"action_taken\":\"Cleaned by deleting\",\"action_error\":\"\",\"threat_handled\":\"true\",\"need_restart\":\"false\",\"username\":\"Voyager\\Tuvok\",\"processname\":\"C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe\",\"circumstances\":\"Event occurred on a modified file.\",\"engine_version\":\"32129 (20251103)\",\"firstseen\":\"03-Nov-2025 13:18:57\",\"hash\":\"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\",\"detection_uuid\":\"6ed159ec-ab53-f64f-05b6-613cfa058f7c\",\"ipv4\":\"192.168.234.128\",\"ipv6\":\"fe80::4b4a:a154:2097:9558\",\"hostname\":\"Voyager\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_name\":\"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\",\"group_description\":\"A static group created automatically via synchronization\",\"event_type\":\"Threat_Event\",\"severity\":\"Warning\"}\n<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - {\"source_uuid\":\"9e3571e9-c58d-446a-ba90-b8ee0bafa979\",\"occured\":\"03-Nov-2025 13:19:50\",\"threat_type\":\"Test file\",]"
      ]
    },
    "tags": [
      "preserve_original_event",
      "customer.eset-mdr.nl/demolab",
      "eset_protect-event",
      "forwarded",
      "terraform-managed"
    ],
    "cloud": {
      "instance": {
        "name": "aks-userpool-84077292-vmss_73",
        "id": "b840d0ab-6b2b-4dc2-a9ee-1d5a5f5b59f6"
      },
      "provider": "azure",
      "machine": {
        "type": "Standard_D4s_v3"
      },
      "service": {
        "name": "Virtual Machines"
      },
      "region": "westeurope",
      "account": {
        "id": "addbd166-b2b1-471f-bda3-fb69e1a2ea39"
      }
    },
    "input": {
      "type": "tcp"
    },
    "@timestamp": "2025-11-04T10:08:19.462Z",
    "ecs": {
      "version": "8.11.0"
    },
    "data_stream": {
      "namespace": "demolab",
      "type": "logs",
      "dataset": "eset_protect.event"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2025-11-04T10:08:24Z",
      "original": "threat_name\":\"Eicar\",\"threat_flags\":\"\",\"scanner_id\":\"Real-time file system protection\",\"scan_id\":\"virlog.dat\",\"object_type\":\"File\",\"object_uri\":\"file:///C:/Users/Tuvok/Desktop/detect me.txt\",\"action_taken\":\"Cleaned by deleting\",\"action_error\":\"\",\"threat_handled\":\"true\",\"need_restart\":\"false\",\"username\":\"Voyager\\Tuvok\",\"processname\":\"C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe\",\"circumstances\":\"Event occurred on a modified file.\",\"engine_version\":\"32129 (20251103)\",\"firstseen\":\"03-Nov-2025 13:18:57\",\"hash\":\"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\",\"detection_uuid\":\"6ed159ec-ab53-f64f-05b6-613cfa058f7c\",\"ipv4\":\"192.168.234.128\",\"ipv6\":\"fe80::4b4a:a154:2097:9558\",\"hostname\":\"Voyager\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_name\":\"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\",\"group_description\":\"A static group created automatically via synchronization\",\"event_type\":\"Threat_Event\",\"severity\":\"Warning\"}\n<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - {\"source_uuid\":\"9e3571e9-c58d-446a-ba90-b8ee0bafa979\",\"occured\":\"03-Nov-2025 13:19:50\",\"threat_type\":\"Test file\",",
      "kind": [
        "alert",
        "pipeline_error"
      ],
      "dataset": "eset_protect.event"
    },
    "eset_protect": {
      "event": {
        "is_handled": false
      }
    }
  },
  "fields": {
    "elastic_agent.version": [
      "9.2.0"
    ],
    "cloud.instance.id": [
      "b840d0ab-6b2b-4dc2-a9ee-1d5a5f5b59f6"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "eset_protect"
    ],
    "agent.name.text": [
      "elastic-agent-demolab-85d467bcf4-7qxfk"
    ],
    "cloud.service.name.text": [
      "Virtual Machines"
    ],
    "agent.name": [
      "elastic-agent-demolab-85d467bcf4-7qxfk"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "eset_protect.event.is_handled": [
      false
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "alert",
      "pipeline_error"
    ],
    "event.original": [
      "threat_name\":\"Eicar\",\"threat_flags\":\"\",\"scanner_id\":\"Real-time file system protection\",\"scan_id\":\"virlog.dat\",\"object_type\":\"File\",\"object_uri\":\"file:///C:/Users/Tuvok/Desktop/detect me.txt\",\"action_taken\":\"Cleaned by deleting\",\"action_error\":\"\",\"threat_handled\":\"true\",\"need_restart\":\"false\",\"username\":\"Voyager\\Tuvok\",\"processname\":\"C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe\",\"circumstances\":\"Event occurred on a modified file.\",\"engine_version\":\"32129 (20251103)\",\"firstseen\":\"03-Nov-2025 13:18:57\",\"hash\":\"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\",\"detection_uuid\":\"6ed159ec-ab53-f64f-05b6-613cfa058f7c\",\"ipv4\":\"192.168.234.128\",\"ipv6\":\"fe80::4b4a:a154:2097:9558\",\"hostname\":\"Voyager\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_name\":\"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\",\"group_description\":\"A static group created automatically via synchronization\",\"event_type\":\"Threat_Event\",\"severity\":\"Warning\"}\n<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - {\"source_uuid\":\"9e3571e9-c58d-446a-ba90-b8ee0bafa979\",\"occured\":\"03-Nov-2025 13:19:50\",\"threat_type\":\"Test file\","
    ],
    "cloud.region": [
      "westeurope"
    ],
    "cloud.instance.name.text": [
      "aks-userpool-84077292-vmss_73"
    ],
    "elastic_agent.id": [
      "f8e0e55d-fcea-47b4-b4e5-2d9584e167ca"
    ],
    "data_stream.namespace": [
      "demolab"
    ],
    "input.type": [
      "tcp"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "customer.eset-mdr.nl/demolab",
      "eset_protect-event",
      "forwarded",
      "terraform-managed"
    ],
    "cloud.machine.type": [
      "Standard_D4s_v3"
    ],
    "cloud.provider": [
      "azure"
    ],
    "event.ingested": [
      "2025-11-04T10:08:24.000Z"
    ],
    "@timestamp": [
      "2025-11-04T10:08:19.462Z"
    ],
    "agent.id": [
      "f8e0e55d-fcea-47b4-b4e5-2d9584e167ca"
    ],
    "cloud.service.name": [
      "Virtual Machines"
    ],
    "cloud.account.id": [
      "addbd166-b2b1-471f-bda3-fb69e1a2ea39"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "error.message": [
      "syslog failed to process field \"message\": parsing error at position 7: unexpected EOF",
      "Processor grok with tag grok_event_original in pipeline logs-eset_protect.event-1.11.1 failed with message: Provided Grok expressions do not match field value: [threat_name\":\"Eicar\",\"threat_flags\":\"\",\"scanner_id\":\"Real-time file system protection\",\"scan_id\":\"virlog.dat\",\"object_type\":\"File\",\"object_uri\":\"file:///C:/Users/Tuvok/Desktop/detect me.txt\",\"action_taken\":\"Cleaned by deleting\",\"action_error\":\"\",\"threat_handled\":\"true\",\"need_restart\":\"false\",\"username\":\"Voyager\\Tuvok\",\"processname\":\"C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe\",\"circumstances\":\"Event occurred on a modified file.\",\"engine_version\":\"32129 (20251103)\",\"firstseen\":\"03-Nov-2025 13:18:57\",\"hash\":\"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\",\"detection_uuid\":\"6ed159ec-ab53-f64f-05b6-613cfa058f7c\",\"ipv4\":\"192.168.234.128\",\"ipv6\":\"fe80::4b4a:a154:2097:9558\",\"hostname\":\"Voyager\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_name\":\"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\",\"group_description\":\"A static group created automatically via synchronization\",\"event_type\":\"Threat_Event\",\"severity\":\"Warning\"}\n<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - {\"source_uuid\":\"9e3571e9-c58d-446a-ba90-b8ee0bafa979\",\"occured\":\"03-Nov-2025 13:19:50\",\"threat_type\":\"Test file\",]"
    ],
    "log.source.address": [
      "10.224.0.149:50866"
    ],
    "data_stream.dataset": [
      "eset_protect.event"
    ],
    "agent.ephemeral_id": [
      "9def44fd-e7dc-42f8-a2bb-b8127d481ce7"
    ],
    "agent.version": [
      "9.2.0"
    ],
    "event.dataset": [
      "eset_protect.event"
    ],
    "cloud.instance.name": [
      "aks-userpool-84077292-vmss_73"
    ]
  }
}

The weird thing is, it will sometimes parse just fine. Other times it will throw different errors:

"syslog failed to process field ""message"": parsing error at position 5: unexpected EOF", "Processor grok with tag grok_event_original in pipeline logs-eset_protect.event-1.11.1 failed with message: Provided Grok expressions do not match field value: [need_restart"": ""false"", ""username"": ""Voyager\\Tuvok"", ""processname"": ""C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe"", ""circumstances"": ""Event occurred on a modified file."", ""engine_version"": ""32129 (20251103)"", ""firstseen"": ""03-Nov-2025 13:18:57"", ""hash"": ""C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575"", ""detection_uuid"": ""6ed159ec-ab53-f64f-05b6-613cfa058f7c"", ""ipv4"": ""192.168.234.128"", ""ipv6"": ""fe80::4b4a:a154:2097:9558"", ""hostname"": ""Voyager"", ""os_name"": ""Microsoft Windows 11 Pro"", ""group_name"": ""All/Companies/ESETNL Business Support DEMO/United Federation of Planets"", ""group_description"": ""A static group created automatically via synchronization"", ""event_type"": ""Threat_Event"", ""severity"": ""Warning""}
<14>1 2025-11-04T09:37:07.502817Z 005a212b-c0bf-40ab-93a0-f757129c0e81 ERAServer 8999 - - {""source_uuid"": ""9e3571e9-c58d-446a-ba90-b8ee0bafa979"", ""occured"": ""03-Nov-2025 13:19:50"", ""threat_type"": ""Test file"", ""threat_name"": ""Eicar100"", ""threat_flags"": """", ""scanner_id"": ""Real-time file system protection"", ""scan_id"": ""virlog.dat"", ""object_type"": ""File"", ""object_uri"": ""file:///C:/Users/Tuvok/Desktop/detect me.txt"", ""action_taken"": ""Cleaned by deleting"", ""action_error"": """", ""threat_handled"": ""true"", ]"

"Processor json with tag json_event_original in pipeline logs-eset_protect.event-1.11.1 failed with message: Unexpected end-of-input: was expecting closing quote for a string value
 at [Source: (String)""{""source_uuid"": ""9e3571e9-c58d-446a-ba90-b8ee0bafa979"", ""occured"": ""03-Nov-2025 13:19:50"", ""threat_type"": ""Test file"", ""threat_name"": ""Eicar100"", ""threat_flags"": """", ""scanner_id"": ""Real-time file system ""; line: 1, column: 204]"

Here is a working example on v9 (only changed threat name to Eicar100 to make sure I searched for the correct one):

{
  "_index": ".ds-logs-eset_protect.event-demolab-2025.10.29-000095",
  "_id": "_6hnTpoBQ4zN2WvGgpxt",
  "_version": 1,
  "_source": {
    "agent": {
      "name": "elastic-agent-demolab-85d467bcf4-dp5l9",
      "id": "4c0ddde0-f0a2-47a5-991b-952ee38fb024",
      "type": "filebeat",
      "ephemeral_id": "5d85f27c-d744-4e29-aee6-7c9f706d963c",
      "version": "9.2.0"
    },
    "process": {
      "name": "Notepad.exe",
      "executable": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe"
    },
    "log": {
      "source": {
        "address": "10.224.2.164:59500"
      },
      "syslog": {
        "severity": {
          "code": 6,
          "name": "Informational"
        },
        "hostname": "005a212b-c0bf-40ab-93a0-f757129c0e81",
        "appname": "ERAServer",
        "procid": "8999",
        "priority": 14,
        "version": "1",
        "facility": {
          "code": 1,
          "name": "user-level"
        }
      }
    },
    "elastic_agent": {
      "id": "4c0ddde0-f0a2-47a5-991b-952ee38fb024",
      "version": "9.2.0",
      "snapshot": false
    },
    "tags": [
      "preserve_original_event",
      "customer.eset-mdr.nl/demolab",
      "eset_protect-event",
      "forwarded",
      "terraform-managed"
    ],
    "cloud": {
      "instance": {
        "name": "aks-userpool-84077292-vmss_73",
        "id": "b840d0ab-6b2b-4dc2-a9ee-1d5a5f5b59f6"
      },
      "provider": "azure",
      "machine": {
        "type": "Standard_D4s_v3"
      },
      "service": {
        "name": "Virtual Machines"
      },
      "region": "westeurope",
      "account": {
        "id": "addbd166-b2b1-471f-bda3-fb69e1a2ea39"
      }
    },
    "input": {
      "type": "tcp"
    },
    "@timestamp": "2025-11-03T13:19:50.000Z",
    "file": {
      "path": "C:/Users/Tuvok/Desktop/detect me.txt",
      "drive_letter": "C",
      "name": "detect me.txt",
      "type": "file",
      "directory": "/Users/Tuvok/Desktop/",
      "hash": {
        "sha1": "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
      }
    },
    "ecs": {
      "version": "8.11.0"
    },
    "related": {
      "hosts": [
        "voyager",
        "Voyager",
        "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
      ],
      "ip": [
        "192.168.234.128",
        "fe80::4b4a:a154:2097:9558"
      ],
      "user": [
        "Tuvok"
      ],
      "hash": [
        "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
      ]
    },
    "data_stream": {
      "namespace": "demolab",
      "type": "logs",
      "dataset": "eset_protect.event"
    },
    "host": {
      "hostname": "Voyager",
      "os": {
        "name": "Microsoft Windows 11 Pro"
      },
      "ip": [
        "192.168.234.128",
        "fe80::4b4a:a154:2097:9558"
      ],
      "name": "voyager",
      "id": "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
    },
    "threat": {
      "indicator": {
        "first_seen": "2025-11-03T13:18:57.000Z",
        "file": {
          "hash": {
            "sha1": "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
          }
        },
        "provider": "ESET PROTECT",
        "name": "Eicar100",
        "type": "file"
      }
    },
    "event": {
      "agent_id_status": "verified",
      "reason": "Event occurred on a modified file.",
      "ingested": "2025-11-04T10:26:37Z",
      "original": "{\"source_uuid\": \"9e3571e9-c58d-446a-ba90-b8ee0bafa979\", \"occured\": \"03-Nov-2025 13:19:50\", \"threat_type\": \"Test file\", \"threat_name\": \"Eicar100\", \"threat_flags\": \"\", \"scanner_id\": \"Real-time file system protection\", \"scan_id\": \"virlog.dat\", \"object_type\": \"File\", \"object_uri\": \"file:///C:/Users/Tuvok/Desktop/detect me.txt\", \"action_taken\": \"Cleaned by deleting\", \"action_error\": \"\", \"threat_handled\": \"true\", \"need_restart\": \"false\", \"username\": \"Voyager\\\\Tuvok\", \"processname\": \"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe\", \"circumstances\": \"Event occurred on a modified file.\", \"engine_version\": \"32129 (20251103)\", \"firstseen\": \"03-Nov-2025 13:18:57\", \"hash\": \"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\", \"detection_uuid\": \"6ed159ec-ab53-f64f-05b6-613cfa058f7c\", \"ipv4\": \"192.168.234.128\", \"ipv6\": \"fe80::4b4a:a154:2097:9558\", \"hostname\": \"Voyager\", \"os_name\": \"Microsoft Windows 11 Pro\", \"group_name\": \"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\", \"group_description\": \"A static group created automatically via synchronization\", \"event_type\": \"Threat_Event\", \"severity\": \"Warning\"}",
      "kind": "alert",
      "action": "cleaned-by-deleting",
      "category": [
        "threat"
      ],
      "type": [
        "indicator"
      ],
      "dataset": "eset_protect.event"
    },
    "user": {
      "domain": "Voyager",
      "name": "Tuvok"
    },
    "eset_protect": {
      "event": {
        "type": "Threat_Event",
        "scanner_id": "Real-time file system protection",
        "threat_handled": true,
        "need_restart": false,
        "threat_type": "Test file",
        "is_handled": false,
        "severity": "Warning",
        "object_type": "File",
        "action_taken": "Cleaned by deleting",
        "object_uri": "file:///C:/Users/Tuvok/Desktop/detect me.txt",
        "detection_uuid": "6ed159ec-ab53-f64f-05b6-613cfa058f7c",
        "scan_id": "virlog.dat",
        "engine_version": "32129 (20251103)",
        "group_description": "A static group created automatically via synchronization",
        "hash": "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575",
        "username": "Voyager\\Tuvok"
      }
    },
    "group": {
      "name": "All/Companies/ESETNL Business Support DEMO/United Federation of Planets"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "9.2.0"
    ],
    "event.category": [
      "threat"
    ],
    "host.os.name.text": [
      "Microsoft Windows 11 Pro"
    ],
    "eset_protect.event.severity": [
      "Warning"
    ],
    "host.hostname": [
      "Voyager"
    ],
    "threat.indicator.provider": [
      "ESET PROTECT"
    ],
    "eset_protect.event.need_restart": [
      false
    ],
    "eset_protect.event.action_taken": [
      "Cleaned by deleting"
    ],
    "log.syslog.facility.name": [
      "user-level"
    ],
    "threat.indicator.name": [
      "Eicar100"
    ],
    "agent.name.text": [
      "elastic-agent-demolab-85d467bcf4-dp5l9"
    ],
    "cloud.service.name.text": [
      "Virtual Machines"
    ],
    "log.syslog.severity.name": [
      "Informational"
    ],
    "agent.name": [
      "elastic-agent-demolab-85d467bcf4-dp5l9"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "group.name": [
      "All/Companies/ESETNL Business Support DEMO/United Federation of Planets"
    ],
    "file.path.text": [
      "C:/Users/Tuvok/Desktop/detect me.txt"
    ],
    "cloud.region": [
      "westeurope"
    ],
    "group.name.text": [
      "All/Companies/ESETNL Business Support DEMO/United Federation of Planets"
    ],
    "input.type": [
      "tcp"
    ],
    "related.user": [
      "Tuvok"
    ],
    "tags": [
      "preserve_original_event",
      "customer.eset-mdr.nl/demolab",
      "eset_protect-event",
      "forwarded",
      "terraform-managed"
    ],
    "cloud.machine.type": [
      "Standard_D4s_v3"
    ],
    "cloud.provider": [
      "azure"
    ],
    "agent.id": [
      "4c0ddde0-f0a2-47a5-991b-952ee38fb024"
    ],
    "log.source.address": [
      "10.224.2.164:59500"
    ],
    "eset_protect.event.engine_version": [
      "32129 (20251103)"
    ],
    "threat.indicator.type": [
      "file"
    ],
    "eset_protect.event.type": [
      "Threat_Event"
    ],
    "log.syslog.hostname": [
      "005a212b-c0bf-40ab-93a0-f757129c0e81"
    ],
    "user.name": [
      "Tuvok"
    ],
    "eset_protect.event.object_uri": [
      "file:///C:/Users/Tuvok/Desktop/detect me.txt"
    ],
    "eset_protect.event.scanner_id": [
      "Real-time file system protection"
    ],
    "cloud.instance.id": [
      "b840d0ab-6b2b-4dc2-a9ee-1d5a5f5b59f6"
    ],
    "host.ip": [
      "192.168.234.128",
      "fe80::4b4a:a154:2097:9558"
    ],
    "agent.type": [
      "filebeat"
    ],
    "process.executable.text": [
      "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe"
    ],
    "related.ip": [
      "192.168.234.128",
      "fe80::4b4a:a154:2097:9558"
    ],
    "eset_protect.event.threat_type": [
      "Test file"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "eset_protect.event.is_handled": [
      false
    ],
    "user.domain": [
      "Voyager"
    ],
    "host.id": [
      "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
    ],
    "file.directory": [
      "/Users/Tuvok/Desktop/"
    ],
    "log.syslog.severity.name.text": [
      "Informational"
    ],
    "elastic_agent.id": [
      "4c0ddde0-f0a2-47a5-991b-952ee38fb024"
    ],
    "eset_protect.event.hash": [
      "C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575"
    ],
    "file.name": [
      "detect me.txt"
    ],
    "event.action": [
      "cleaned-by-deleting"
    ],
    "event.ingested": [
      "2025-11-04T10:26:37.000Z"
    ],
    "@timestamp": [
      "2025-11-03T13:19:50.000Z"
    ],
    "cloud.account.id": [
      "addbd166-b2b1-471f-bda3-fb69e1a2ea39"
    ],
    "data_stream.dataset": [
      "eset_protect.event"
    ],
    "agent.ephemeral_id": [
      "5d85f27c-d744-4e29-aee6-7c9f706d963c"
    ],
    "log.syslog.facility.code": [
      1
    ],
    "cloud.instance.name": [
      "aks-userpool-84077292-vmss_73"
    ],
    "user.name.text": [
      "Tuvok"
    ],
    "file.path": [
      "C:/Users/Tuvok/Desktop/detect me.txt"
    ],
    "threat.indicator.first_seen": [
      "2025-11-03T13:18:57.000Z"
    ],
    "process.name.text": [
      "Notepad.exe"
    ],
    "eset_protect.event.scan_id": [
      "virlog.dat"
    ],
    "eset_protect.event.threat_handled": [
      true
    ],
    "host.name.text": [
      "voyager"
    ],
    "related.hash": [
      "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
    ],
    "event.reason": [
      "Event occurred on a modified file."
    ],
    "host.os.name": [
      "Microsoft Windows 11 Pro"
    ],
    "host.name": [
      "voyager"
    ],
    "event.kind": [
      "alert"
    ],
    "event.original": [
      "{\"source_uuid\": \"9e3571e9-c58d-446a-ba90-b8ee0bafa979\", \"occured\": \"03-Nov-2025 13:19:50\", \"threat_type\": \"Test file\", \"threat_name\": \"Eicar100\", \"threat_flags\": \"\", \"scanner_id\": \"Real-time file system protection\", \"scan_id\": \"virlog.dat\", \"object_type\": \"File\", \"object_uri\": \"file:///C:/Users/Tuvok/Desktop/detect me.txt\", \"action_taken\": \"Cleaned by deleting\", \"action_error\": \"\", \"threat_handled\": \"true\", \"need_restart\": \"false\", \"username\": \"Voyager\\\\Tuvok\", \"processname\": \"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe\", \"circumstances\": \"Event occurred on a modified file.\", \"engine_version\": \"32129 (20251103)\", \"firstseen\": \"03-Nov-2025 13:18:57\", \"hash\": \"C6B3B6EEEFFCB48A6A0ED4E962BD82DC541E8575\", \"detection_uuid\": \"6ed159ec-ab53-f64f-05b6-613cfa058f7c\", \"ipv4\": \"192.168.234.128\", \"ipv6\": \"fe80::4b4a:a154:2097:9558\", \"hostname\": \"Voyager\", \"os_name\": \"Microsoft Windows 11 Pro\", \"group_name\": \"All/Companies/ESETNL Business Support DEMO/United Federation of Planets\", \"group_description\": \"A static group created automatically via synchronization\", \"event_type\": \"Threat_Event\", \"severity\": \"Warning\"}"
    ],
    "log.syslog.severity.code": [
      6
    ],
    "cloud.instance.name.text": [
      "aks-userpool-84077292-vmss_73"
    ],
    "eset_protect.event.detection_uuid": [
      "6ed159ec-ab53-f64f-05b6-613cfa058f7c"
    ],
    "data_stream.type": [
      "logs"
    ],
    "process.name": [
      "Notepad.exe"
    ],
    "cloud.service.name": [
      "Virtual Machines"
    ],
    "file.type": [
      "file"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "agent.version": [
      "9.2.0"
    ],
    "related.hosts": [
      "voyager",
      "Voyager",
      "9e3571e9-c58d-446a-ba90-b8ee0bafa979"
    ],
    "eset_protect.event.username": [
      "Voyager\\Tuvok"
    ],
    "log.syslog.appname": [
      "ERAServer"
    ],
    "eset_protect.event.object_type": [
      "File"
    ],
    "file.hash.sha1": [
      "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
    ],
    "event.module": [
      "eset_protect"
    ],
    "log.syslog.priority": [
      14
    ],
    "process.executable": [
      "C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2507.26.0_x64__8wekyb3d8bbwe\\Notepad\\Notepad.exe"
    ],
    "log.syslog.version": [
      "1"
    ],
    "data_stream.namespace": [
      "demolab"
    ],
    "eset_protect.event.group_description": [
      "A static group created automatically via synchronization"
    ],
    "threat.indicator.name.text": [
      "Eicar100"
    ],
    "log.syslog.procid": [
      "8999"
    ],
    "file.name.text": [
      "detect me.txt"
    ],
    "file.drive_letter": [
      "C"
    ],
    "log.syslog.facility.name.text": [
      "user-level"
    ],
    "event.type": [
      "indicator"
    ],
    "threat.indicator.file.hash.sha1": [
      "c6b3b6eeeffcb48a6a0ed4e962bd82dc541e8575"
    ],
    "event.dataset": [
      "eset_protect.event"
    ]
  }
}

This behaviour is only present on v9 agents, not on v8 agents.

[dmaasland]

Here is the integration config:

PUT kbn:/api/fleet/package_policies/1a684ec6-1087-44f0-bc76-e7680bc5e41a
{
  "package": {
    "name": "eset_protect",
    "version": "1.11.1"
  },
  "name": "DemoLab-eset-protect",
  "namespace": "demolab",
  "policy_ids": [
    "a936bd57-5e88-484e-8716-63665f0d7705"
  ],
  "output_id": null,
  "vars": {},
  "inputs": {
    "eset_protect-tcp": {
      "enabled": true,
      "streams": {
        "eset_protect.event": {
          "enabled": true,
          "vars": {
            "listen_address": "0.0.0.0",
            "listen_port": 6514,
            "tcp_options": "max_message_size: 50KiB\n",
            "tags": [
              "customer.eset-mdr.nl/demolab",
              "eset_protect-event",
              "forwarded",
              "terraform-managed"
            ],
            "drop_heartbeat_message": false,
            "preserve_original_event": true,
            "preserve_duplicate_custom_fields": false,
            "ssl": "#certificate_authorities:\\n"
          }
        }
      }
    },
    "eset_protect-cel": {
      "enabled": true,
      "vars": {
        "region": "${env.ESET_CONNECT_REGION}",
        "username": "${env.ESET_CONNECT_USERNAME}",
        "password": {
          "id": "to_KSpoBQ4zN2WvGDFfn",
          "isSecretRef": true
        }
      },
      "streams": {
        "eset_protect.detection": {
          "enabled": true,
          "vars": {
            "initial_interval": "24h",
            "interval": "1m",
            "batch_size": 10000,
            "http_client_timeout": "180s",
            "tags": [
              "customer.eset-mdr.nl/demolab",
              "eset_protect-detection",
              "forwarded",
              "terraform-managed"
            ],
            "preserve_original_event": true,
            "preserve_duplicate_custom_fields": false,
            "ssl": ""
          }
        },
        "eset_protect.device_task": {
          "enabled": true,
          "vars": {
            "interval": "1h",
            "batch_size": 10000,
            "http_client_timeout": "180s",
            "tags": [
              "customer.eset-mdr.nl/demolab",
              "eset_protect-device_task",
              "forwarded",
              "terraform-managed"
            ],
            "preserve_original_event": true,
            "preserve_duplicate_custom_fields": false,
            "ssl": ""
          }
        }
      }
    }
  }
}

[dmaasland]

I was reading through the documentation for the TCP plugin (https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-tcp) and I noticed this message:

Starting in 9.2.0 the TCP input reads the message in a different goroutine than the publishing of messages, which increases the performance of the input when running slow processors.

Could this perhaps be related?