Configuring publication of application events to a SIEM system

To configure the publication of events in Technical Support Mode, you must first upload the public SSH key in the application web interface.

Prior to starting configuration, make sure that you have enabled export of events in CEF format.

Perform the instructions below on each cluster node whose events you want to publish to a SIEM system.

To configure the publication of application events to a SIEM system:

1. Connect to the Kaspersky Secure Mail Gateway virtual machine management console under the root account using a private SSH key.

   You will enter Technical Support Mode.

2. Specify the address and port for connecting to the server hosting the SIEM system. To do so, add the following lines to the end of the /etc/rsyslog.conf file:

   $ActionQueueFileName ForwardToSIEM

   $ActionQueueMaxDiskSpace 1g

   $ActionQueueSaveOnShutdown on

   $ActionQueueType LinkedList

   $ActionResumeRetryCount -1

   <category (facility)>.* @@<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over TCP>

   Prior to making any changes to the /etc/rsyslog.conf file, you are advised to make a backup copy. An error while editing the file could cause the system to operate incorrectly.

3. Restart the rsyslog service. To do so, run the following command:

   service rsyslog restart

Publication of application events to the SIEM system is configured.

Page top