Jump to content
Kaspersky Support Forum

Export to Syslog Server

xpreme

By xpreme
in Kaspersky Security Center

 Share
Go to solution Solved by ElvinE5,

Recommended Posts

xpreme

xpreme

Posted
Posted

Dear friends,

    Good day. I have configured "Export to SIEM system" on my administration server (Automatically export... was checked as well). But nothing is exported to the syslog server. However, as I enable syslog export on KSWS policy (for servers) it sends data to syslog server (per server) successfully. But I need to send Kaspersky Security Center events to syslog server. Would it be possible? By the way, Kaspersky server has access to syslog server on port 514 UDP and TCP.

Thanks  in advance

Link to comment
Share on other sites
JL - KL DACH

JL - KL DACH

Posted
Posted

Hello,

please configure the export to Siem system as described here and make sure the certificates are valid

Configuring Kaspersky Security Center for export of events to a SIEM system

After that configure Events to be send to the SIEM System as described here:

support.kaspersky.com/KSC/14.2/en-US/151327_1.htm

If you still encounter issues open a ticket with Technical Support

Thank you in advance

Best Regards

 

  • Like 2
Link to comment
Share on other sites
  • Solution
ElvinE5

ElvinE5

Posted
  • Solution
Posted

in support of the previous post

If in simple terms...

 

after you have configured the forwarding of SIEM events ... exactly by the SYSLOG protocol ... you must specify WHAT events you need to send ...

To do this, in the properties of ALL policies for products, you need to mark ALL necessary events that must be sent ...

Спойлер

image.thumb.png.a92ca43e86b2faa2260f5d1e4bb49a3a.png

 

PS:

if you have an Advanced license or higher, and when sending events to SIEM in CEF or LEEF formats, you do not need to additionally configure anything ... all events will be sent to SIEM

  • Like 1
Link to comment
Share on other sites
xpreme

xpreme

Posted
  • Author
Posted

Hi @Joerg Lechea

    Thanks for youe support. As a matter of fact, events are exported while setting on Syslog server but it does not work when choosing Splunk format. Then I checked Kaspersky event in Windows event viewer. I found some errors regarding export failure due to limited functionality mode. So, I guessed it is somthing related to license.

Thanks

Link to comment
Share on other sites
ElvinE5

ElvinE5

Posted
Posted (edited)
В 17.07.2023 в 12:28, xpreme сказал:

Does this feature require a special license? I am now using a Select license. 

I'm sorry, I'll try to explain again...

1. when using your "Select" license - you can send events to all SIEM (Splunk, QRadar, etc.) systems BUT ONLY via Syslog protocol

Спойлер

image.thumb.png.e4138ca194d1f7bc653d1bd2092e95c6.png

At the same time, as I wrote above, you will need to "manually" select which events to send ...

 

2. If you have an "Advanced" license, or higher ... You can use all other options for sending events

Спойлер

image.thumb.png.6fa708316183b68c67d0be7c7abb1f9e.png

and also you don't have to choose which messages to send... the server will send absolutely everything

but in order for the functionality to become available, you will need to additionally activate the KSC itself with the appropriate activation key

Спойлер

image.thumb.png.7af06fb5c4be10a65fda2e81bf8d3215.png

it is included in the license package that you purchase...

Edited by ElvinE5
  • Like 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...