KWTS: Send only detects to external syslog server [Kaspersky Web Traffic Security]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Description and cautions

Here's how to configure export only detects from KWTS to external syslog server, which accepts TCP stream on facility local1.

Details

1. Create file /etc/rsyslog.d/kwts-detects.conf with contents as per below (replace SERVER:PORT by your external syslog server, @SERVER:PORT if UDP is in use instead of TCP) 

   $ActionQueueFileName KWTSDetects $ActionQueueType LinkedList $ActionQueueMaxDiskSpace 1g $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on   if ($syslogfacility-text == 'local1' and (       $msg contains 'av-status="Detected' or       $msg contains 'encrypted="Detected' or       $msg contains 'macros="Detected' or       $msg contains 'ap-status="Detected' or       $msg contains 'mlf-status="Detected' or       $msg contains 'kata-alert="Detected'     )) then {     @@SERVER:PORT   }

2. Restart rsyslog service like this: 

   systemctl restart rsyslog