Managing SIEM integration settings

To manage the settings for integration of Kaspersky Endpoint Agent with a SIEM system using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Execute the following command:

    agent.exe --message-broker=<enable|disable|show> --type=<syslog> [--tls=<yes|no>] --servers=<tcp|udp>://<address>:<port>[;<tcp|udp>://<address>:<port>[; …]] [--timeout=<timeout for SIEM server response] [--pinned-certificate=<full path to TLS certificate file>] [--client-certificate=<full path to PFX file>] --client-password=<password for PFX file>

  4. Press ENTER.

    --message-broker command parameters for managing the integration of Kaspersky Endpoint Agent with a SIEM system

    Parameter

    Description

    --message-broker=<enable|disable|show>

    Required parameter.

    Allows you to enable, disable, and view the status of integration of Kaspersky Endpoint Agent with a SIEM system.

    • --message-broker=<enable> – enables integration.
    • --message-broker=<disable> disables integration.
    • --message-broker=<show> displays the status of integration of Kaspersky Endpoint Agent with a SIEM system.

    --type=<syslog>

    Required parameter.

    Indicates that the integration of Kaspersky Endpoint Agent with a SIEM system is being configured via the syslog protocol.

    --tls=<yes|no>

    Optional parameter.

    Allows you to enable or disable a trusted connection between Kaspersky Endpoint Agent and a SIEM system.

    • --tls=<yes> – enables trusted connection.
    • --tls=<no> disables the use of a trusted connection.

    --servers=<tcp|udp>://<address>:<port>[;<tcp|udp>://<address>:<port>[; …]]

    Required parameter.

    Allows the addition of one or more SIEM servers. If no data transfer protocol is specified, TCP is used by default.

    Kaspersky Endpoint Agent connects to the first server in the list. If the connection does not succeed, Kaspersky Endpoint Agent connects to the second server and so on down the list.

    --timeout=<maximum time to wait for a response from the SIEM server

    Optional parameter.

    Allows you to set the maximum response timeout of the SIEM server in milliseconds.

    The default value is 10,000 milliseconds.

    --pinned-certificate=<full path to the TLS certificate>

    Required parameter, if the --tls parameter is passed with the <yes> value.

    Allows you to add a TLS certificate for connecting Kaspersky Endpoint Agent to a SIEM server.

    --client-certificate=<full path to PFX file>

    Optional parameter.

    Allows you to add a PFX file that stores an encrypted client certificate for protecting the connection between Kaspersky Endpoint Agent and a SIEM server.

    --client-password=<password for PFX file>

    Required parameter if the –-client parameter is passed.

    Lets you specify a password for the PFX file.

See also

Integration with a SIEM system

Page top