Configuring export of KSMG events to KUMA

To configure the export of KSMG events to KUMA:

  1. Connect to the KSMG server via SSH using an account with administrator rights.
  2. Use the ksmg-control utility to download the settings to the settings.xml file:

    sudo /opt/kaspersky/ksmg/bin/ksmg-control --get-settings EventLogger -n -f /tmp/settings.xml

  3. Make sure that the settings in the /tmp/settings.xml file have the following values; make changes if necessary:

    <siemSettings>

    <enabled>1</enabled>

    <facility>Local1</facility>

  4. Apply settings with the following command:

    sudo /opt/kaspersky/ksmg/bin/ksmg-control --set-settings EventLogger -n -f /tmp/settings.xml

  5. To send events via UDP, make the following changes to the /etc/rsyslog.conf configuration file:

    $WorkDirectory /var/lib/rsyslog

    $ActionQueueFileName ForwardToSIEM

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    local1.* @<<IP address of the KUMA collector>:<port of the collector>>

    If you want to send events over TCP, the last line should be as follows:

    local1.* @@<<IP address of the KUMA collector>:<port of the collector>>

  6. Save your changes.
  7. Restart the rsyslog service with the following command:

    sudo systemctl restart rsyslog.service

Page top