Configuring publication of application events to a SIEM system

You can configure the publication of events in CEF format to an external SIEM system, and saving the events locally in log files on the server.

Event publishing settings saved on the Control node are propagated to all nodes in the cluster. Only enable the export of events in CEF format after configuring event publishing.

To publish audit events, you must also enable audit event logging in the Audit Log settings.

To configure the publication of application events to a SIEM system:

  1. In the application web interface window, select the SettingsExternal servicesRemote logging section.
  2. If you want to use logging on an external server, turn on the Use remote logging toggle switch.
  3. Under Facility, select categories of event to be sent to the SIEM system. Possible categories:
    • Security audit log (authpriv)
    • System services event log (daemon)
    • Task scheduler log (cron)
    • Built-in MTA log (mail)
    • Kaspersky Secure Mail Gateway log (local1)
    • Kaspersky Secure Mail Gateway log in CEF format (local2)

    By default, no category is selected.

  4. In the FQDN or IP address field, enter the address of the SIEM server. IPv4 or IPv6 addresses are supported.
  5. In the Port field, enter the port used for connecting to the SIEM system. Possible values: 1 to 65535.

    Default values: 601 for TCP, 514 for UDP, 6514 for TCP over TLS.

  6. Under Protocol, select the protocol for sending information to the SIEM system. Possible values:
    • TCP
    • UDP
    • TCP over TLS

    By default, TCP over TLS is selected.

  7. If you selected TCP over TLS, under Authentication, select an authentication method. Possible values:
    • CA certificate and FQDN

      The FQDN or IP address field must contain the address that is specified in the server certificate.

    • Server certificate fingerprint

    The default value is CA certificate and FQDN.

  8. If you selected CA certificate and FQDN authentication, add a TLS certificate for the encrypted connection to the SIEM system. To do so, under CA certificate, click Browse, select the certificate file in PEM format, and click Open.

    We recommend using a certificate with an RSA key length of at least 4096 bits or an ECDSA key length of at least 256 bits.

  9. If you selected Server certificate fingerprint authentication, in the Server certificate fingerprint field, insert the fingerprint value of the external server certificate.

    In KSMG on Rocky Linux, we recommend using SHA256 fingerprints.
    In KSMG on RED OS, we recommend using SHA1 fingerprints.

  10. Click Save.

Publication of application events to the SIEM system is configured.

If you imported a TLS certificate, after saving the logging settings, the Certificate fingerprint field displays the certificate fingerprint.

You can download the certificate by clicking Download.

Page top