Support

Support for business applications

Kaspersky Web Traffic Security 6.x

Publishing application events to a SIEM system

Configuring event export in the CEF format

Kaspersky Web Traffic Security 6.x
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ System requirements Download Forum Contact support Recovery tools Product videos

Configuring event export in the CEF format

December 13, 2023

ID 267198

Before enabling event export in CEF format, you must install the siem_logging_fixes.zip update package on each node of the Kaspersky Web Traffic Security cluster. Contact Technical Support to get the update package.

To enable the export of events in Technical Support Mode, you must first upload the SSH public key in the web interface of the application and configure the publishing of application events to the SIEM system.

Follow the steps below on each node of the cluster from which you want to export events in the CEF format.

To configure the export of events in the CEF format:

  1. If Kaspersky Web Traffic Security was installed from an iso file, connect to the management console of the Kaspersky Web Traffic Security virtual machine under the root account using the SSH private key. This takes you to the Technical Support Mode.

    If Kaspersky Web Traffic Security was installed from an rpm or deb package, start the command shell of the operating system to run commands with superuser (system administrator) permissions.

  2. Go to the /opt/kaspersky/kwts/share/templates/core_settings directory and create a backup copy of the event_logger.json.template file:

    cp -p event_logger.json.template event_logger.json.template.backup

  3. Open the event_logger.json.template file for editing and specify the following settings in the siemSettings section (make sure to observe the syntax and structure of the JSON file):

    "enabled": true,

    "facility": "Local5",

    "logLevel": "Info",

  4. In the web interface of the application, in the SettingsLogs and events section, edit the value of any setting and click Save.

    This is necessary to synchronize settings among cluster nodes and apply changes made to the configuration file. You can then restore the previous value of the setting you edited.

  5. Make sure the changes are applied:

    /opt/kaspersky/kwts/bin/kwts-control --get-settings 20 --format json | grep -A 4 siemSettings

    The response must contain the settings with the values specified in step 3.

Export of events in CEF format is configured.

If you want to disable the export of events in the CEF format, follow the steps of the instructions above and at step 3, set "enabled": false.

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company
Web and device controls. Data encryption. Centralized and convenient management from a single console.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.