To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of increased application log sizes, you can configure the publication of audit events and task performance events to the syslog server via the Syslog protocol.
A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and performs other log management actions.
You can use SIEM integration in two modes:
We recommend that you use this mode to reduce the load on the protected device as much as possible.
The application never deletes local versions of the security log.
Kaspersky Security for Windows Server can convert events in application logs into formats supported by the syslog server so that those events can be transmitted and successfully recognized by the SIEM server. The application supports conversion into structured data format and into JSON format.
We recommend that you select the format of events based on the configuration of the utilized SIEM server.
Reliability settings
You can reduce the risk that events will be relayed to the SIEM server unsuccessfully by defining the settings for connecting to a mirror syslog server.
A mirror syslog server is an additional syslog server to which the application switches automatically if the connection to the main syslog server is unavailable or if the main server cannot be used.
Kaspersky Security for Windows Server also uses system audit events to notify you about unsuccessful attempts to connect to the SIEM server and about errors while sending events to the SIEM server.
Page top