This section explains how to verify that Kaspersky CyberTrace has been integrated with LogRhythm correctly by performing the verification test.
To create the conditions for performing the verification test:
Field |
Data |
Name |
Kaspersky LogScanner |
Full Name |
Kaspersky LogScanner |
Abbreviation |
LogScanner |
Log Format |
Syslog |
Brief Description |
Kaspersky LogScanner is a command-line application that allows you to send data to Feed Service for checking against feeds. |
Field |
Data |
Name |
LogScanner_event |
Classification |
Audit : Other Audit |
Brief Description |
LogScanner event for verification purposes |
Risk Rating |
Low-Low |
Common Event Properties window
LogScanner_event
as the Rule Name..*
'.Rule builder form
In the Log Source Type list, select Kaspersky LogScanner. Specify all other parameters, as described in section "Step 5. Adding Kaspersky CyberTrace policy".
514
.%service_dir%/verification/kl_verification_test_cef.txt
file to LogRhythm../log_scanner -p ../verification/kl_verification_test_cef.txt
log_scanner.exe -p ..\verification\kl_verification_test_cef.txt
After Kaspersky Log Scanner sends an event, a new item will appear on the Log Sources tab.
To accept the new log source:
The Log Source Acceptance Properties window opens.
Log Source Acceptance Properties window
Kaspersky LogScanner
as the log source type.The entity name must be unique and non-empty. Other entity properties can be arbitrary.
Log source context menu
The new log source now appears in the lower table in LogRhythm Console.
New log source
If you have previously configured log forwarding, as described in section "Step 7. Configuring log forwarding to Kaspersky CyberTrace", make sure that you have Kaspersky LogScanner selected as a Log source (see subsection "Adding a log distribution policy").
To perform the verification test:
Resend the %service_dir%/verification/kl_verification_test_cef.txt
file to LogRhythm.
./log_scanner -p ../verification/kl_verification_test_cef.txt
log_scanner.exe -p ..\verification\kl_verification_test_cef.txt
If the integration of Kaspersky CyberTrace with LogRhythm has been configured properly, test events from Log Scanner will be forwarded to Kaspersky CyberTrace automatically. Then, the alert events from Kaspersky CyberTrace will be sent to LogRhythm. The number of detections may vary depending on enabled Kaspersky Threat Data Feeds. The alert events can be displayed in the LogRhythm web console, as described in section "Step 10 (optional). Displaying alert events in LogRhythm".
Page top