Add ESET Protect On-Prem syslog integration for Wazuh

[TimvHerpen]

Summary

• Adds decoder and rules for ingesting ESET Protect On-Premise syslog JSON output directly, without requiring the Cloud API integration script
• Custom decoder handles RFC 5424 syslog from ESET Protect On-Prem
• 1,263 rules covering all 7 ESET event types with severity escalation and MITRE ATT&CK mappings

Background

The existing eset_local_rules.xml is designed for the ESET Cloud API integration script, which wraps events in a custom JSON structure with fields like eset.category, eset.severityLevel, and eset.edrRuleUuid.

ESET Protect On-Premise has a built-in Syslog export feature that sends events directly over syslog in RFC 5424 format with a JSON payload. The JSON schema differs from the API output — it uses root-level fields like event_type, severity, threat_name, etc. as documented at:
https://help.eset.com/protect_admin/12.1/en-US/events-exported-to-json-format.html

This PR adds native Wazuh support for these syslog events, enabling ESET Protect On-Prem users to get full detection coverage without running the Cloud API integration.

Files added

File	Description
eset_syslog_decoder.xml	Custom decoder for RFC 5424 syslog from ESET Protect On-Prem
eset_syslog_rules.xml	1,263 rules: 16 base/category/severity rules + 1,247 EDR rules
README_syslog.md	Setup and configuration documentation

Rule coverage

• 7 event types: Threat_Event, FirewallAggregated_Event, HipsAggregated_Event, EnterpriseInspectorAlert_Event, BlockedFiles_Event, Audit_Event, FilteredWebsites_Event
• Severity escalation: Warning (level 7), Critical (level 12), Fatal (level 15)
• 1,247 EDR rules mapped from existing eset_local_rules.xml using the rulename field, with original rule IDs and MITRE ATT&CK technique IDs preserved