Step 6. Adding a log source to System Monitor Agent

This section describes the actions to perform so that a new log source pertaining to Kaspersky CyberTrace will appear in LogRhythm. If LogRhythm is already configured properly, you need take no such actions: the new log source will already appear in LogRhythm and you only have to check that everything is as you specified.

To create conditions for a log source pertaining to Kaspersky CyberTrace to be added to LogRhythm:

1. Run LogRhythm Console.
2. Select Deployment Manager > System Monitors > Agent > Properties.

   The System Monitor Agent Properties window opens.

3. Select the Syslog and Flow Settings tab.
4. Select the Enable Syslog Server check box.

   

   System Monitor Agent Properties window

5. Click OK.
6. Turn off Windows Firewall or add exclusions to it so that incoming SYSLOG events can arrive.
7. Select Deployment Manager > Data Processors > Properties > Advanced.

   The Data Processor Advanced Properties window opens.

8. In the table, select the following items. Property names are in the Name column; the Value column contains the check boxes to be selected:
   • AutomaticLogSourceConfigurationNetFlow
   • AutomaticLogSourceConfigurationsFlow
   • AutomaticLogSourceConfigurationSNMPTrap
   • AutomaticLogSourceConfigurationSyslog

   

   Data Processor Advanced Properties window

9. Click OK.
10. Restart LogRhythm if necessary.

    LogRhythm will inform you whether a restart is required.

After Kaspersky CyberTrace sends an event, a new item appears on the Log Sources tab.

To accept the new log source:

1. Right-click the new item and select Actions > Resolve Log Source Hosts.
2. Double-click the new item.

   The Log Source Acceptance Properties window opens.

   

   Log Source Acceptance Properties window

3. Edit the properties:
   • Specify the log source host.
   • Specify Kaspersky CyberTrace as the log source type.
   • Specify the MPE policy that you added in step 4.
4. Click OK.
5. If an error message appears saying that you cannot use an unknown log source host, add a new entity as follows:
   1. In LogRhythm Console, select the Entities tab.
   2. Click the New Child Entity toolbar button.

      

   3. In the Entity Properties window that opens, specify the entity properties.

      

      The entity name must be unique and non-empty. Other entity properties can be arbitrary.

   4. Click OK.
   5. Repeat the action in step 3 by using the created entity as the log source host.
6. Select the Action checkbox.
7. Right-click the log source and select Actions > Accept > Defaults.

   

   Log source context menu

   The new log source now appears in the lower table in LogRhythm Console.

   

   New log source

Page top