This section explains how to configure LogRhythm to forward logs to Kaspersky CyberTrace. Configuring LogRhythm includes adding a log receiver and adding a log distribution policy.
Adding a log receiver
In LogRhythm, create a new log receiver. This log receiver will represent Kaspersky CyberTrace.
To add a log receiver to LogRhythm:
The Log Distribution Receiver Manager window opens.
InputSettings > ConnectionString
element of the Feed Service configuration file).InputSettings > ConnectionString
element of the Feed Service configuration file).Adding a log distribution policy
After the log receiver is added, set the conditions by adding a log distribution policy for events to be forwarded to Kaspersky CyberTrace.
To add a log distribution policy:
The Log Distribution Policy Wizard starts. Proceed through the wizard by using the Next button.
Select Log Sources window
Make sure that Kaspersky CyberTrace in not selected as a log source for forwarding, because that will result in events looping. For the same reason, do not select All available Log Sources in the previous step.
For more details on defining these filters, refer to the LogRhythm documentation.
We recommend that you do not specify these filters.
Click Yes.
Confirmation of forwarding all logs without applying filters
Kaspersky CyberTrace
.
Select Distribution Receivers window
Define Syslog Sender Override Settings window
Additional Information window
Right-click the new row in the table, and then select Enabled.
The computer on which Kaspersky CyberTrace is installed will now receive logs. You can check this by using the netcat utility.
Displaying detection events in LogRhythm
As a result of the above actions, LogRhythm will receive and display detection events. The events will also appear in the web console, which is available at https://<logrhythmIP>:8443
or at https://<logrhythmIP>:80
.