Configuring publication of program events to a SIEM system

To configure publication of events in Technical Support Mode, you must first upload the public SSH key in the program web interface.

Prior to starting configuration, make sure that you have enabled export of events in CEF format.

Perform the instructions below on each cluster node whose events you want to publish to a SIEM system.

To configure publication of program events to a SIEM system:

  1. Connect to the Kaspersky Secure Mail Gateway virtual machine management console under the root account using a private SSH key.

    You will enter Technical Support Mode.

  2. Specify the address and port for connecting to the server hosting the SIEM system. To do so, add the following lines to the end of the /etc/rsyslog.conf file:

    $WorkDirectory /var/lib/rsyslog

    $ActionQueueFileName ForwardToSIEM

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    <category (facility)>.* @@<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over TCP>

    Prior to making any changes to the /etc/rsyslog.conf file, you are advised to make a backup copy. An error while editing the file could cause the system to operate incorrectly.

  3. Restart the rsyslog service. To do so, run the following command:

    service rsyslog restart

Publication of program events to the SIEM system will be configured.

Page top