The process of exporting events from Kaspersky Security Center Linux to external SIEM systems involves two parties: an event sender—Kaspersky Security Center Linux and an event receiver—SIEM system. You must configure the export of events in your SIEM system and in the Kaspersky Security Center Linux.
The settings that you specify in the SIEM system depend on the particular system that you are using. Generally, for all SIEM systems you must set up a receiver and, optionally, a message parser to parse received events.
Setting up the receiver
To receive events sent by Kaspersky Security Center Linux, you must set up the receiver in your SIEM system. In general, the following settings must be specified in the SIEM system:
A message transfer protocol, either UDP, TCP, or TLS, over TCP. This protocol must be the same as the protocol you specified in Kaspersky Security Center Linux.
Specify the port number to connect to Kaspersky Security Center Linux. This port must be the same as the port you specify in Kaspersky Security Center Linux during configuration with a SIEM system.
Specify the Syslog format.
Depending on the SIEM system that you use, you may have to specify some additional receiver settings.
The figure below shows the receiver setup screen in ArcSight.
Receiver setup in ArcSight
Message parser
Exported events are passed to SIEM systems as messages. These messages must be properly parsed so that information on the events can be used by the SIEM system. Message parsers are part of the SIEM system; they are used to split the contents of the message into the relevant fields, such as event ID, severity, description, parameters. This enables the SIEM system to process events received from Kaspersky Security Center Linux so that they can be stored in the SIEM system database.