Jump to content
Kaspersky Support Forum

KWTS: Send only detects to external syslog server [Kaspersky Web Traffic Security]

svc_kms

Entry posted by svc_kms in Known Problem

2 views

 Share

Description and cautions

Here's how to configure export only detects from KWTS to external syslog server, which accepts TCP stream on facility local1.

Details

  1. Create file /etc/rsyslog.d/kwts-detects.conf with contents as per below (replace SERVER:PORT by your external syslog server, @SERVER:PORT if UDP is in use instead of TCP

    $ActionQueueFileName KWTSDetects
    $ActionQueueType LinkedList
    $ActionQueueMaxDiskSpace 1g
    $ActionResumeRetryCount -1
    $ActionQueueSaveOnShutdown on
     
    if ($syslogfacility-text == 'local1' and (
          $msg contains 'av-status="Detected' or
          $msg contains 'encrypted="Detected' or
          $msg contains 'macros="Detected' or
          $msg contains 'ap-status="Detected' or
          $msg contains 'mlf-status="Detected' or
          $msg contains 'kata-alert="Detected'
        )) then {
        @@SERVER:PORT  
    }

  2. Restart rsyslog service like this: 

    systemctl restart rsyslog
 Share

0 Comments

Recommended Comments

There are no comments to display.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...