Configuring event export to a SIEM system

The application allows you to export events—registered during the operation of Administration Server and other Kaspersky Lab applications that are installed on client devices—to a Security Information and Event Management (SIEM) system.

To configure events export to a SIEM system:

  1. In the console tree, select the node with the name of the required Administration Server.
  2. In the workspace of the node, select the Events tab.
  3. Click the Configure notifications and event export link and select the Configure export to SIEM system value in the drop-down list.

    The events properties window opens, displaying the Exporting events section.

  4. Select the Automatically export events to SIEM system database check box.
  5. In the SIEM system drop-down list, select the system to which you have to export events.

    Events can be exported to SIEM systems, such as QRadar® (LEEF format), ArcSight (CEF format), Splunk® (CEF format), and Syslog format (RFC 5424). The ArcSight (CEF format) system is selected by default.

  6. Specify the address of a SIEM system server and a port for connection to that server in the corresponding fields.

    Clicking the Export archive button causes the application to export newly created events to the database of the SIEM system starting from the specified date. By default, the application exports events starting from the current date.

  7. Click OK.

After you select the Automatically export events to SIEM system database check box and configure connection with the server, the application will automatically export all events to the SIEM system when they are registered during the operation of Administration Server and other Kaspersky Lab applications.

For more details of event export, please see section "Exporting events to SIEM systems".

Page top