Support

Support for business applications

Kaspersky Web Traffic Security 6.x

Publishing application events to a SIEM system

Configuring the publishing of application events to a SIEM system

Kaspersky Web Traffic Security 6.x
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ System requirements Download Forum Contact support Recovery tools Product videos

Configuring the publishing of application events to a SIEM system

December 13, 2023

ID 267199

To configure event publishing in Technical Support Mode, you must first upload the SSH public key in the web interface of the application.

Follow the steps below on each node of the cluster from which you want to publish events to the SIEM system. You should only enable export of events in CEF format after configuring the publishing of events.

To configure the publishing of application events to a SIEM system:

  1. If Kaspersky Web Traffic Security was installed from an iso file, connect to the management console of the Kaspersky Web Traffic Security virtual machine under the root account using the SSH private key. This takes you to the Technical Support Mode.

    If Kaspersky Web Traffic Security was installed from an rpm or deb package, start the command shell of the operating system to run commands with superuser (system administrator) permissions.

  2. Events are sent to an external SIEM system using the rsyslog system logging service. To make sure the service is installed and running, run the following command:

    systemctl status rsyslog

    The status of the service must be running.

    If the rsyslog service is not running or is not installed, install and enable the rsyslog service in accordance with the documentation of your operating system.

  3. Specify the address and port for connecting to the server with the SIEM system. To do this, create the /etc/rsyslog.d/kwts-cef-messages.conf file and add the following lines to it:

    $ActionQueueFileName ForwardToSIEM5

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    local5.*@@<IP address of the SIEM system>:<port on which the SIEM system receives messages from Syslog via the TCP protocol>

    local5.* stop

    Example:

    $ActionQueueFileName ForwardToSIEM5

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    local5.* @@10.16.32.64:514

    local5.* stop
  4. Restart the rsyslog service. To do so, execute the command:

    systemctl restart rsyslog

  5. Check the status of the rsyslog service using the following command:

    systemctl status rsyslog

    The status must be running.

  6. Send a test message to the SIEM system:

    logger -p local5.info Test message

The publishing of application events to the SIEM system is configured.

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company
Web and device controls. Data encryption. Centralized and convenient management from a single console.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.