Step 6. Adding a log source to System Monitor Agent

This section describes the actions to perform so that a new log source pertaining to Kaspersky CyberTrace will appear in LogRhythm. If LogRhythm is already configured properly, you do not need to take action, as the new log source will appear in LogRhythm and you only have to check that everything is as you specified.

To create conditions for a log source pertaining to Kaspersky CyberTrace to be added to LogRhythm:

1. Run LogRhythm Console.
2. Select Deployment Manager > System Monitors.
3. Right-click on the selected agent, and then click Properties in the context menu.

   

   Agent context menu

   The System Monitor Agent Properties window opens.

4. Select the Syslog and Flow Settings tab.
5. Select the Enable Syslog Server checkbox.

   

   System Monitor Agent Properties window

6. Click OK.
7. Turn off Windows Firewall or add exclusions to it so that incoming SYSLOG events can arrive.
8. Select Deployment Manager > Data Processors > Properties > Advanced.

   The Data Processor Advanced Properties window opens.

9. In the table, select the following items. Property names are in the Name column and the Value column contains the checkboxes to be selected:
   • AutomaticLogSourceConfigurationNetFlow
   • AutomaticLogSourceConfigurationsFlow
   • AutomaticLogSourceConfigurationSNMPTrap
   • AutomaticLogSourceConfigurationSyslog

   

   Data Processor Advanced Properties window

10. Click OK.
11. Restart LogRhythm if necessary.

    LogRhythm will inform you whether a restart is required.

After Kaspersky CyberTrace sends an event, a new item appears on the Log Sources tab.

To accept the new log source:

1. Right-click the new item, and then select Actions > Resolve Log Source Hosts.
2. Double-click the new item.

   The Log Source Acceptance Properties window opens.

   

   Log Source Acceptance Properties window

3. Edit the properties:
   • Specify the log source host.
   • Specify Kaspersky CyberTrace as the log source type.
   • Specify the MPE policy that you added in step 4.
4. Click OK.
5. If an error message appears saying that you cannot use an unknown log source host, add a new entity as follows:
   1. In LogRhythm Console, select the Entities tab.
   2. Click the New Child Entity toolbar button.

      

   3. In the Entity Properties window that opens, specify the entity properties.

      

      The entity name must be unique and non-empty. Other entity properties can be arbitrary.

   4. Click OK.
   5. Repeat the action in step 3 by using the created entity as the log source host.
6. Select the Action checkbox.
7. Right-click the log source, and then select Actions > Accept > Defaults.

   

   Log source context menu

   The new log source now appears in the lower table in LogRhythm Console.

   

   New log source

Disabling log forwarding for the events received from Kaspersky CyberTrace

You may need to disable log forwarding for the events received from Kaspersky CyberTrace, to avoid the looping of events, which is forwarding the received events back to Kaspersky CyberTrace.

To disable log forwarding for the events received from Kaspersky CyberTrace:

1. On the Log Sources tab, select the checkbox of the log source associated with Kaspersky CyberTrace.
2. Right-click the log source, and then select Actions > Edit properties.

   

   Editing the properties of the Kaspersky CyberTrace log source

3. The Log Message Source Properties window opens. In the Log Message Processing Mode drop-down list, select MPE Processing Enabled, Event Forwarding Disabled, and then click OK.

   

   Specifying the log message processing mode

In the MPE Processing Mode column, No Event Forwarding will be displayed for the selected log source.

The MPE Processing Mode column

Page top