Step 8 (optional). Performing the verification test

This section explains how to verify that Kaspersky CyberTrace has been integrated with LogRhythm correctly by performing the verification test.

To create the conditions for performing the verification test:

1. Create a custom log source type, as described in section "Step 1. Adding a Custom Log Source type", with the following parameters:

   Field	Data
   Name	Kaspersky LogScanner
   Full Name	Kaspersky LogScanner
   Abbreviation	LogScanner
   Log Format	Syslog
   Brief Description	Kaspersky LogScanner is a command-line application that allows you to send data to Feed Service for checking against feeds.

2. Add a new common event, as described in section "Step 3 (optional). Adding Kaspersky CyberTrace events", with the following parameters:

   Field	Data
   Name	LogScanner_event
   Classification	Audit : Other Audit
   Brief Description	LogScanner event for verification purposes
   Risk Rating	Low-Low

   

   Common Event Properties window

3. Add an MPE rule for Log Scanner, as described in section "Step 4 (optional). Adding Kaspersky CyberTrace rules", using the following parameters:
   • In the Log Message Source Type Associations tree pane, select Kaspersky LogScanner.
   • Specify LogScanner_event as the Rule Name.
   • In the Common Event drop-down list, select LogScanner_event.
   • In Rule Status, select Production.
   • In Base-Rule Regular Expression, type '.*'.

   

   Rule builder form

4. Create a new policy for Kaspersky Log Scanner, as described in section "Step 5. Adding Kaspersky CyberTrace policy".

   In the Log Source Type list, select Kaspersky LogScanner. Specify all other parameters, as described in section "Step 5. Adding Kaspersky CyberTrace policy".

5. Add a log source to System Monitor Agent:
   1. In the Log Scanner configuration file, specify the IP address of the computer on which LogRhythm runs and port 514.
   2. Send the %service_dir%/verification/kl_verification_test_cef.txt file to LogRhythm.
      • For this purpose, run the following command (in Linux):

        ./log_scanner -p ../verification/kl_verification_test_cef.txt

      • For this purpose, run the following command (in Windows):

        log_scanner.exe -p ..\verification\kl_verification_test_cef.txt

After Kaspersky Log Scanner sends an event, a new item will appear on the Log Sources tab.

To accept the new log source:

1. Right-click the new item, and then select Actions > Resolve Log Source Hosts.
2. Double-click the new item.

   The Log Source Acceptance Properties window opens.

   

   Log Source Acceptance Properties window

3. Edit the properties:
   • Specify the log source host.
   • Specify Kaspersky LogScanner as the log source type.
   • Select the MPE policy that you previously created for Kaspersky Log Scanner.
4. Click OK.
5. If an error message appears saying that you cannot use an unknown log source host, add a new entity as follows:
   1. In LogRhythm Console, select the Entities tab.
   2. Click the New Child Entity toolbar button.

      

   3. In the Entity Properties window that opens, specify the entity properties.

      

      The entity name must be unique and non-empty. Other entity properties can be arbitrary.

   4. Click OK.
   5. Repeat the action in step 3 by using the created entity as the log source host.
6. Select the Action check box.
7. Right-click the log source, and then select Actions > Accept > Defaults.

   

   Log source context menu

   The new log source now appears in the lower table in LogRhythm Console.

   

   New log source

8. Reload LogRhythm.

If you have previously configured log forwarding, as described in section "Step 7. Configuring log forwarding to Kaspersky CyberTrace", make sure that you have Kaspersky LogScanner selected as a Log source (see subsection "Adding a log distribution policy").

To perform the verification test:

Resend the %service_dir%/verification/kl_verification_test_cef.txt file to LogRhythm.

• For this purpose, run the following command (in Linux):

  ./log_scanner -p ../verification/kl_verification_test_cef.txt

• For this purpose, run the following command (in Windows):

  log_scanner.exe -p ..\verification\kl_verification_test_cef.txt

If the integration of Kaspersky CyberTrace with LogRhythm has been configured properly, test events from Log Scanner will be forwarded to Kaspersky CyberTrace automatically. Then, the alert events from Kaspersky CyberTrace will be sent to LogRhythm. The number of detections may vary depending on enabled Kaspersky Threat Data Feeds. The alert events can be displayed in the LogRhythm web console, as described in section "Step 10 (optional). Displaying alert events in LogRhythm".

Page top