Kaspersky Security Center - SIEM Integration With Sumo Logic

[fernando.frogel]

We are experiencing issues integrating Kaspersky Security Center (KSC) with our SIEM (Sumo Logic). The logs are not being sent

port 515 and server ip agent sumo logic 192.168.1.223

[Renan Corassa]

Fernando, how are you?
Wouldn't the default port for collection be 514?
Or did you change it in the Sumo tool?

Edited February 3 by Renan Corassa

[fernando.frogel]

Regarding your question, yes, the default port for Syslog collection is 514, but the Sumo Logic team confirmed that they changed the collection port to 515 on their end.

[Renan Corassa]

Você pode validar via telnet se o KSC pode alcançar o IP 192.168.1.233 na porta 515.

Edited February 3 by Renan Corassa

[fernando.frogel]

telnet não responde na porta 515 e nem da 514, somente o ping para o servidor, mais as portas usadas são UDP

[Renan Corassa]

Eu tinha esquecido que o telnet não funciona no protocolo UDP, porque o protocolo não é orientado a conexão, desculpe. O Siem é Cloud ou Local? 

Edited February 3 by Renan Corassa

[fernando.frogel]

o agente é local 192.168.1.233 e envia para nuvem, o do firewall foi configurado para ele esta funcionando

[Renan Corassa]

Have you entered the logs you intend to send to the SIEM?

Edited February 3 by Renan Corassa

[fernando.frogel]

nesta janela vc quer dizer

 

[Renan Corassa]

Yes.

What database does KSC use?

[fernando.frogel]

Microsoft SQL Server

[Renan Corassa]

Fernando, has the collector already been created in Sumo to receive the KSC logs?

[fernando.frogel]

Sim, foi criado para receber os logs pela porta 515

[Renan Corassa]

If possible, validate in the KSC OS event viewer whether there is any reference to sending logs to the SIEM.

 

[Renan Corassa]

Good Morning. 
If possible, change the Sumo collector to default values (UDP/514) and test.

[Caos]

Hello,

Please remember: this is the english forum.

Regards

[fernando.frogel]

Sorry, this is resume the issue:

We are experiencing issues integrating Kaspersky Security Center (KSC) with our SIEM (Sumo Logic). The logs from KSC are not being sent to Sumo Logic as expected.

Current Configuration:
SIEM (Sumo Logic) Agent Server IP: 192.168.1.223
Syslog Collection Port: 515/UDP (Confirmed with Sumo Logic team)
Expected Behavior: Logs should be sent from KSC to Sumo Logic via port 515.
Issue Observed: No logs are being transmitted to Sumo Logic.

Additional Information:
We understand that the default Syslog collection port is 514, but the Sumo Logic team has confirmed that they changed the collection port to 515 on their end.
 

Edited February 6 by fernando.frogel

[fernando.frogel]

To successfully integrate Kaspersky Security Center (KSC) with Sumo Logic, it is necessary to adjust the policies on both workstations and servers to ensure that events are properly forwarded to the SIEM.

[Renan Corassa]

In what sense of adjustment? Was there some active component in the policy that prevented shipping?