To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of increased application log sizes, you can configure the publication of audit events and task performance events to the syslog server via the Syslog protocol.
A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and performs other log management actions.
You can use SIEM integration in two modes:
We recommend that you use this mode to reduce the load on the protected device as much as possible.
The application never deletes local versions of the security log.
Kaspersky Security for Windows Server can convert events in application logs into formats supported by the syslog server so that those events can be transmitted and successfully recognized by the SIEM server. The application supports conversion into structured data format and into JSON format.
To reduce the risk that events will be relayed to the SIEM server unsuccessfully, you can define settings for connecting to a mirror syslog server.
A mirror syslog server is an additional syslog server to which the application switches automatically if the connection to the main syslog server is unavailable or if the main server cannot be used.
By default, SIEM integration is not used. You can enable and disable SIEM integration, and configure relevant settings (see the table below).
SIEM integration settings
Setting |
Default value |
Description |
---|---|---|
Send events to a remote syslog server via syslog protocol |
Not applied |
You can enable or disable SIEM integration by selecting or clearing the check box, respectively. |
Remove local copies for events that have been sent to a remote syslog server |
Not applied |
You can configure the settings for storing local copies of logs after they are sent to the SIEM server by selecting or clearing the check box. |
Events format |
Structured data |
You can select one of two formats to which the application converts its events prior to sending them to the syslog server for better recognition of these events by the SIEM server. |
Connection protocol |
TCP |
You can use the drop-down list to configure the connection to the main syslog server via the UDP or TCP protocols; to the mirror syslog server via the TCP protocol. |
Main syslog server connection settings |
IP address: 127.0.0.1 Port: 514 |
You can use the appropriate fields to configure the IP address and port used to connect to the main syslog server. You can specify the IP address only in IPv4 format. |
Use mirror syslog server if the main server is not accessible |
Not applied |
You can use the check box to enable or disable the use of a mirror syslog server. |
Mirror syslog server connection settings |
IP address: 127.0.0.1 Port: 514 |
You can use the appropriate fields to configure the IP address and port used to connect to the mirror syslog server. You can specify the IP address only in IPv4 format. |
To configure SIEM integration settings:
If an active Kaspersky Security Center policy is applied to a device and blocks changes to application settings, then these settings cannot be edited in the Application settings window.
The Logs and notifications settings window opens.
The status of the Remove local copies for events that have been sent to a remote syslog server check box does not affect the settings for storing events of the security log: the application never automatically deletes security log events.
By default, the application converts them into a structured data format.
You can only specify an IP address in IPv4 format.
Specify the following settings for connecting to the mirror syslog server: Address and Port.
The Address and Port fields for the mirror syslog server cannot be edited if the Use mirror syslog server if the main server is not accessible check box is cleared.
You can only specify an IP address in IPv4 format.
The configured SIEM integration settings will be applied.
Page top