SIEM intergration - no events: the most frequent reason for error
Entry posted by Egor Erastov in Known problem
27 views
Problem
You set up integration with SIEM but no events come up on SIEM side. In some cases there is no incoming traffic to SIEM from KSC server.
Solution
In vast majority of cases the root cause can be located in KSC server trace
Trace example #1
25.01.2017 09:56:56.855 00001320.0000015C L1 KLSPLG: There is no key for SystemManagement.
|
Trace example #2
24.10.2017 13:27:06.071 00001C78.00001464 L1 KLERR: #1, Error was caught in KLSPLG::EventsSupplierToSiem::Build, .\splg\events_supplier_to_siem.cpp@224.
Error params: (1571/0x0 ("Functionality in limited mode. Area: System Management."), "KLSRV", .\license_policy\license_policy_utils.cpp@151)
Error loc: 'This operation requires a license for the feature Systems Management.'.
|
If you can find such a line, make sure that Systems management license is installed on KSC. If the issue reproduces with SM license installed do the following:
- Enable admin server tracing
- Click 'Export archive' button
- Wait 15 minutes
- Provide Customer Support (https://companyaccount.kaspersky.com/) with the traces, GSI file (https://support.kaspersky.com/common/diagnostics/3632 - do not forget to switch on the event logs collection), and the detailed problem description.
0 Comments
Recommended Comments
There are no comments to display.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now