Step 8 (optional). Performing the verification test

This section explains how to verify that Kaspersky CyberTrace has been integrated with LogRhythm correctly by performing the verification test.

To create the conditions for performing the verification test:

  1. Create a custom log source type, as described in section "Step 1. Adding a Custom Log Source type", with the following parameters:

    Field

    Data

    Name

    Kaspersky LogScanner

    Full Name

    Kaspersky LogScanner

    Abbreviation

    LogScanner

    Log Format

    Syslog

    Brief Description

    Kaspersky LogScanner is a command-line application that allows you to send data to Feed Service for checking against feeds.

  2. Add a new common event, as described in section "Step 3 (optional). Adding Kaspersky CyberTrace events", with the following parameters:

    Field

    Data

    Name

    LogScanner_event

    Classification

    Audit : Other Audit

    Brief Description

    LogScanner event for verification purposes

    Risk Rating

    Low-Low

    logrhythm_common_event_properties

    Common Event Properties window

  3. Add an MPE rule for Log Scanner, as described in section "Step 4 (optional). Adding Kaspersky CyberTrace rules", using the following parameters:
    • In the Log Message Source Type Associations tree pane, select Kaspersky LogScanner.
    • Specify LogScanner_event as the Rule Name.
    • In the Common Event drop-down list, select LogScanner_event.
    • In Rule Status, select Production.
    • In Base-Rule Regular Expression, type '.*'.

    logrhythm_rule_builder_verification

    Rule builder form

  4. Create a new policy for Kaspersky Log Scanner, as described in section "Step 5. Adding Kaspersky CyberTrace policy".

    In the Log Source Type list, select Kaspersky LogScanner. Specify all other parameters, as described in section "Step 5. Adding Kaspersky CyberTrace policy".

  5. Add a log source to System Monitor Agent:
    1. In the Log Scanner configuration file, specify the IP address of the computer on which LogRhythm runs and port 514.
    2. Send the %service_dir%/verification/kl_verification_test_cef.txt file to LogRhythm.
      • For this purpose, run the following command (in Linux):

        ./log_scanner -p ../verification/kl_verification_test_cef.txt

      • For this purpose, run the following command (in Windows):

        log_scanner.exe -p ..\verification\kl_verification_test_cef.txt

After Kaspersky Log Scanner sends an event, a new item will appear on the Log Sources tab.

To accept the new log source:

  1. Right-click the new item, and then select Actions > Resolve Log Source Hosts.
  2. Double-click the new item.

    The Log Source Acceptance Properties window opens.

    15

    Log Source Acceptance Properties window

  3. Edit the properties:
    • Specify the log source host.
    • Specify Kaspersky LogScanner as the log source type.
    • Select the MPE policy that you previously created for Kaspersky Log Scanner.
  4. Click OK.
  5. If an error message appears saying that you cannot use an unknown log source host, add a new entity as follows:
    1. In LogRhythm Console, select the Entities tab.
    2. Click the New Child Entity toolbar button.

      27

    3. In the Entity Properties window that opens, specify the entity properties.

      26

      The entity name must be unique and non-empty. Other entity properties can be arbitrary.

    4. Click OK.
    5. Repeat the action in step 3 by using the created entity as the log source host.
  6. Select the Action check box.
  7. Right-click the log source, and then select Actions > Accept > Defaults.

    17

    Log source context menu

    The new log source now appears in the lower table in LogRhythm Console.

    18

    New log source

  8. Reload LogRhythm.

If you have previously configured log forwarding, as described in section "Step 7. Configuring log forwarding to Kaspersky CyberTrace", make sure that you have Kaspersky LogScanner selected as a Log source (see subsection "Adding a log distribution policy").

To perform the verification test:

Resend the %service_dir%/verification/kl_verification_test_cef.txt file to LogRhythm.

If the integration of Kaspersky CyberTrace with LogRhythm has been configured properly, test events from Log Scanner will be forwarded to Kaspersky CyberTrace automatically. Then, the alert events from Kaspersky CyberTrace will be sent to LogRhythm. The number of detections may vary depending on enabled Kaspersky Threat Data Feeds. The alert events can be displayed in the LogRhythm web console, as described in section "Step 10 (optional). Displaying alert events in LogRhythm".

Page top