Support

Support for business applications

Kaspersky Unified Monitoring and Analysis Platform

Administrator's guide

Configuring event sources

Configuring receipt of Auditd events

Configuring the event source server

Kaspersky Unified Monitoring and Analysis Platform
Нет результатов
Knowledge Base Online Help
FAQ Solution overview Forum Contact support Product videos

Configuring the event source server

April 8, 2024

ID 239849

Get as PDF

The rsyslog service is used to transmit events from the server to the KUMA collector.

To configure transmission of events from the server to the collector:

  1. Make sure that the rsyslog service is installed on the event source server. For this purpose, execute the following command:

    systemctl status rsyslog.service

    If the rsyslog service is not installed on the server, install it by executing the following command:

    yum install rsyslog

    systemctl enable rsyslog.service

    systemctl start rsyslog.service

  2. In the /etc/rsyslog.d folder, create the audit.conf file with the following content:

    $ModLoad imfile

    $InputFileName /var/log/audit/audit.log

    $InputFileTag tag_audit_log:

    $InputFileStateFile audit_log

    $InputFileSeverity info

    $InputFileFacility local6

    $InputRunFileMonitor

    *.* @<KUMA collector IP address>:<KUMA collector port>

    If you want to send events over TCP, instead of the last line in the file insert the following line:
    *.* @@<KUMA collector IP address>:<KUMA collector port>.

  3. Save the changes to the audit.conf file.
  4. Restart the rsyslog service by executing the following command:

    systemctl restart rsyslog.service

The event source server is configured. Data about events is transmitted from the server to the KUMA collector.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.