Configuring the publishing of program events to a SIEM system

Make sure to enable the export of events in CEF format before you proceed with the configuration.

To configure the publishing of program events to an SIEM system:

  1. Run the management console of the Kaspersky Secure Mail Gateway virtual machine or connect to it over SSH.
  2. Switch to Technical Support Mode. To do so, perform the following:
    1. Running the management console opens the Select action window; in that window, select Technical Support Mode.

      This opens the Web Interface password window.

    2. Enter the administrator password and click OK.

      This opens the Technical Support Mode window.

    3. Make sure to read the warning and click OK.

    The virtual machine is started in Technical Support Mode.

  3. Specify the address and port for connecting to the server with the SIEM system. To do so, add the following lines to the end of the /etc/rsyslog.conf file:

    $WorkDirectory /var/lib/rsyslog

    $ActionQueueFileName ForwardToSIEM

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    <facility>.* @@<IP address of the SIEM system>:<port on which the SIEM system receives messages from Syslog over TCP>

    or

    <facility>.* @<IP address of the SIEM system server>:<port on which the SIEM system receives messages from syslog over UDP>

    Using the TCP protocol is recommended.

    It is recommended to create a backup copy of the /etc/rsyslog.conf file before editing it. A mistake introduced while editing the file can cause the system to malfunction.

  4. Restart the rsyslog service. To do that, enter at the command line:

    service rsyslog restart

The publishing of events to a SIEM system is configured.

Page top