Step 7. Configuring log forwarding to Kaspersky CyberTrace

This section explains how to configure LogRhythm to forward logs to Kaspersky CyberTrace. Configuring LogRhythm includes adding a log receiver and adding a log distribution pollicy.

Adding a log receiver

In LogRhythm, create a new log receiver. This log receiver will represent Kaspersky CyberTrace.

To add a log receiver to LogRhythm:

  1. Run LogRhythm Console.
  2. Select Deployment Manager > Tools > Distribution > Log Distribution Services > Receiver Manager.

    The Log Distribution Receiver Manager window opens.

  3. Select File > New.
  4. Fill in the fields of the Syslog Receiver Properties window that opens:
    • Specify the IP address of the remote host on which Kaspersky CyberTrace is installed (the IP address specified in the InputSettings > ConnectionString element of the Feed Service configuration file).
    • Specify the remote port that Kaspersky CyberTrace listens on for events (the port specified in the InputSettings > ConnectionString element of the Feed Service configuration file).
    • Change Network Protocol to TCP.
  5. Click OK.
  6. After a new row appears in the table, right-click the row and select Enabled.

Adding a log distribution policy

After the log receiver is added, set the conditions by adding a log distribution policy for events to be forwarded to Kaspersky CyberTrace.

To add a log distribution policy:

  1. Select Deployment Manager > Tools > Distribution > Log Distribution Services > Policy Manager.
  2. In the Log Distribution Policy Manager window that opens, select File > New.

    The Log Distribution Policy Wizard starts.

  3. Follow the instructions of the Wizard.

    Log Distribution Policy Wizard

    1. In the Select Distribution Receivers table, select the Kaspersky CyberTrace item that was created previously.
    2. Select the log sources that can send URLs, hashes, and IP addresses.

    After the Log Distribution Policy Wizard finishes, the new row appears in the table.

  4. Right-click the new row in the table and select Enabled.

The computer on which Kaspersky CyberTrace is installed will now receive logs. You can check this by using the netcat utility.

Displaying detection events in LogRhythm

As a result of the above actions, LogRhythm will receive and display detection events. Also, the events will appear in the web console, which is available at https://<logrhythmIP>:8443 or at https://<logrhythmIP>:80.

Page top