Jump to content

Events are not received by KSC or not transferred to SIEM [KSC for Windows]


Antipova Anna

Recommended Posts

Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

Sometimes the problem with events receiving/transferring on KSC (including export to SIEM) may occur. The first thing that you have to check is Kaspersky Event Log. The following warnings may occur:

Warning

Total number of events stored in database (4010532) has exceeded the actual limit of 4000000 event(s). Starting to delete excessive events from the database...

Warning

600 event(s) have been deleted from the database because the limit of 4000000 event(s) was exceeded.

Warning

Server is busy: event has been rejected for device '<Device_name>', most common events in the database are: 'Scheduled' (from 'KES 11.0.0.0'), 'Error sending the request to KSN' (from 'Kaspersky Security 10 for Windows Server 10.0.0.486') and 'Password-protected archive detected' (from 'KES 11.0.0.0')


The same is correct for SIEM integration. Because KSC is busy, it won't provide event to SIEM immediately. You'll have to wait until load will be decreased.Events are coming from the hosts to KSC and sometimes KSC just cannot process all of them. For example, during KES update task all the hosts transfer event Scheduled and then Running. The more hosts you have, the more chance that KSC will suffer a pike load which will lead to the other events rejecting.

Solution

Configure events storing in all KES policies according to https://support.kaspersky.com/KSC/14/en-US/92424_1.htm

Open KEL and check what the most common events in the database are. Most probably those events will be informational and not very helpful.

  1. Disable storing events you are not interested in on KSC server in all corresponding policies.
  2. Task related events can be disabled in the corresponding task properties, on the Notifications tab. There are different store events options, choose to store only task execution results. Do this for all the tasks running of which cause "server busy" event.

After a while events receiving/transferring should be normalized.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...