KSC 11 integration with AlienVault SIEM

[Deadlock4400]

Hello everybody,

The scenario is like below-

Kaspersky Security Center 11 need to be send logs to Syslog Server then from Syslog server logs need to be sent to AlienVault SIEM.

is the above scenario is a good practice? If the scenario is set like the above then -

what will be the method from KSC11 to Syslog Server and then Syslog Server to SIEM….is that push or something else?

 

Thanks in Advance

@Deadlock4400 

 

[Nikolay Arinchev]

Hi,

Please refer to the article - https://help.kaspersky.com/KSC/11/en-US/151335.htm

Thank you!

[Kavuser10]

AlienVault USM and OSSIM have a Kaspersky log parsing plugin built in. After configuring KSC you need to add it as log source in AlienVault and enable Kaspersky plugin. See here:

https://cybersecurity.att.com/documentation/usm-appliance/supported-plugins/configuring-kaspersky.htm?tocpath=Documentation%7CAlienVault%C2%AE%20USM%20Appliance%E2%84%A2%7CDeployment%20Guide%7CPlugin%20Management%7CConfigure%20Log%20Forwarding%20on%20Commonly%20Used%20Data%20Sources%7C_____47

[Deadlock4400]

hello @Nikolay arinchev 

Thanks for your response.

[Deadlock4400]

hello @Kavuser10 

Thank you for your reply.

[Deadlock4400]

While the KSC and Alien Vault will be integrated then LOGS fro KSC to SIEM = Push or Pull method will be in action?

[Kavuser10]

While the KSC and Alien Vault will be integrated then LOGS fro KSC to SIEM = Push or Pull method will be in action?

Yes. KSC will then send messages over syslog and AlienVault knows then how to process them properly. Without enabling the plugin for KSC logs will show up just as generic text logs.

[Deadlock4400]

Hello,

After KSC 11 and Syslog server connection done then will the client machine push the logs through KSC 11 automatically or there should make some work like making tasks on KSC11?

[Kavuser10]

Hello,

After KSC 11 and Syslog server connection done then will the client machine push the logs through KSC 11 automatically or there should make some work like making tasks on KSC11?

You have to enable syslog in the policy that you have pushed on clients. Open the policy in editor and under Events open the specific events that you want to send and make sure syslog is enabled. See here:

https://help.kaspersky.com/KSC/SP3/en-US/151325.htm 

[Deadlock4400]

Hello @Kavuser10 

 

Thanks 

[skarfaze]

Hello @Deadlock4400,

 

Did you get to see the logs in the framework? I have configured the plugin in OSSIM and KSC, I receive the logs in /var/log/kaspersky-sc.log but I cannot see them in the web interface. I have tried all formats (CEF, Syslog, etc.).

Edit: I forgot to say I’m using KSC 11 too.

Edit 2: @Kavuser10 , can you help with this?

Thanks in advance.
Álex

[akuleckij]

The exact same problem. Export to SIEM is included in KSC, in the policies which events to export to SIEM are selected, policies are applied on the client. I get the logs in /var/log/kaspersky-sc.log, but I do not see them in the web interface. 

Can anyone help with this issue?