SIEM intergration - no events: the most frequent reason for error [KSC for Windows]
Entry posted by svc_kms in Known Problem
333 views
This article is about Kaspersky Security Center for Windows (KSC for Windows)
Problem
You set up integration with SIEM but no events come up on SIEM side. In some cases there is no incoming traffic to SIEM from KSC server.
Solution
In vast majority of cases the root cause can be located in KSC server trace
25.01.2017 09:56:56.855 00001320.0000015C L1 KLSPLG: There is no key for SystemManagement.
|
24.10.2017 13:27:06.071 00001C78.00001464 L1 KLERR: #1, Error was caught in KLSPLG::EventsSupplierToSiem::Build, .\splg\events_supplier_to_siem.cpp@224.
Error params: (1571/0x0 ("Functionality in limited mode. Area: System Management."), "KLSRV", .\license_policy\license_policy_utils.cpp@151)
Error loc: 'This operation requires a license for the feature Systems Management.'.
|
Starting from KSC 11 you can export events to SIEM via Syslog without a Vulnerability and Patch Management (Systems Management) license.
For KSC 15.1 and later, a commercial license is not checked anymore when you export events to a SIEM system in the CEF or LEEF formats: https://support.kaspersky.com/KSC/15.1/en-US/12521.htm
If you can find such a line, make sure that Systems management license is installed on KSC. If the issue reproduces with SM license installed do the following:
- Enable admin server tracing
- Click 'Export archive' button
- Wait 15 minutes
- Provide Customer Support (https://companyaccount.kaspersky.com/) with the traces, GSI file (https://support.kaspersky.com/common/diagnostics/3632 - do not forget to switch on the event logs collection), and the detailed problem description.
0 Comments
Recommended Comments
There are no comments to display.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now