SIEM intergration - no events: the most frequent reason for error [KSC for Windows]

[Igor Akhmetov]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

 

This article is about Kaspersky Security Center for Windows (KSC for Windows)

Problem

You set up integration with SIEM but no events come up on SIEM side. In some cases there is no incoming traffic to SIEM from KSC server.

Solution

In vast majority of cases the root cause can be located in KSC server trace

Trace example #1

25.01.2017 09:56:56.855 00001320.0000015C L1 KLSPLG: There is no key for SystemManagement.

Trace example #2

24.10.2017 13:27:06.071 00001C78.00001464 L1  KLERR: #1, Error was caught in KLSPLG::EventsSupplierToSiem::Build, .\splg\events_supplier_to_siem.cpp@224. Error params: (1571/0x0 ("Functionality in limited mode. Area: System Management."), "KLSRV", .\license_policy\license_policy_utils.cpp@151)   Error loc: 'This operation requires a license for the feature Systems Management.'.

 

If you can find such a line, make sure that Systems management license is installed on KSC. If the issue reproduces with SM license installed do the following:

1. Enable admin server tracing
2. Click 'Export archive' button
3. Wait 15 minutes
4. Provide Customer Support (https://companyaccount.kaspersky.com/) with the traces, GSI file (https://support.kaspersky.com/common/diagnostics/3632 - do not forget to switch on the event logs collection), and the detailed problem description.