Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Description and cautions

Here's how to configure export only detects from KWTS to external syslog server, which accepts TCP stream on facility local1.

Details

  1. Create file /etc/rsyslog.d/kwts-detects.conf with contents as per below (replace SERVER:PORT by your external syslog server, @SERVER:PORT if UDP is in use instead of TCP

    $ActionQueueFileName KWTSDetects
    $ActionQueueType LinkedList
    $ActionQueueMaxDiskSpace 1g
    $ActionResumeRetryCount -1
    $ActionQueueSaveOnShutdown on
     
    if ($syslogfacility-text == 'local1' and (
          $msg contains 'av-status="Detected' or
          $msg contains 'encrypted="Detected' or
          $msg contains 'macros="Detected' or
          $msg contains 'ap-status="Detected' or
          $msg contains 'mlf-status="Detected' or
          $msg contains 'kata-alert="Detected'
        )) then {
        @@SERVER:PORT  
    }
  2. Restart rsyslog service like this: 

    systemctl restart rsyslog

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...