In KES for Windows, starting from version 12.6, events can be sent from Windows logs to a KUMA collector. In this way, KUMA can get events from Windows logs (a limited set of EventIDs of Microsoft products is supported) from all hosts with KES for Windows 12.6 without installing KUMA agents on such hosts. To activate the functionality, you need:
Configuring event receiving consists of the following steps:
In KUMA, you must configure getting updates through Kaspersky update servers.
Click Import resources and in the list of normalizers available for installation, select [OOTB] Microsoft Products via KES WIN.
To receive Windows events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] Microsoft Products via KES WIN normalizer. At the Event filtering step, select the [OOTB] Microsoft Products via KES WIN - Event filter for collector filter.
If your license did not include a key for activating the functionality of sending Windows logs to the KUMA collector, send the following message to Technical Support: "We have purchased a KUMA license and are using KES for Windows version 12.6. We want to activate the functionality of sending Windows logs to the KUMA collector. Please provide a key file to activate the functionality." New KUMA users do not need to make a Technical Support request because new users get 2 keys with licenses for KUMA and for activating the KES for Windows functionality.
In response to your message, you will get a key file.
A key file that activates the functionality of sending Windows events to KUMA collectors must be imported into KSC and distributed to KES endpoints in accordance with the instructions. You must also add KUMA server addresses to the KES policy and specify network connection settings.
You can verify that the Windows event source server is correctly configured in the Searching for related events section of the KUMA web interface.
Microsoft product events transmitted by KES for Windows are listed in the following table:
Event log |
Event identifier |
|---|---|
DNS Server |
150 |
DNS Server |
770 |
MSExchange Management |
1 |
Security |
4781 |
Security |
6416 |
Security |
1100 |
Security |
1102 / 517 |
Security |
1104 |
Security |
1108 |
Security |
4610 / 514 |
Security |
4611 |
Security |
4614 / 518 |
Security |
4616 / 520 |
Security |
4622 |
Security |
4624 / 528 / 540 |
Security |
4625 / 529 |
Security |
4648 / 552 |
Security |
4649 |
Security |
4662 |
Security |
4663 |
Security |
4672 / 576 |
Security |
4696 |
Security |
4697 / 601 |
Security |
4698 / 602 |
Security |
4702 |
Security |
4704 / 608 |
Security |
4706 |
Security |
4713 / 617 |
Security |
4715 |
Security |
4717 / 621 |
Security |
4719 / 612 |
Security |
4720 / 624 |
Security |
4722 / 626 |
Security |
4723 / 627 |
Security |
4724 / 628 |
Security |
4725 / 629 |
Security |
4726 / 630 |
Security |
4727 |
Security |
4728 / 632 |
Security |
4729 / 633 |
Security |
4732 / 636 |
Security |
4733 / 637 |
Security |
4738 / 642 |
Security |
4739 / 643 |
Security |
4740 / 644 |
Security |
4741 |
Security |
4742 / 646 |
Security |
4756 / 660 |
Security |
4757 / 661 |
Security |
4765 |
Security |
4766 |
Security |
4767 |
Security |
4768 / 672 |
Security |
4769 / 673 |
Security |
4770 |
Security |
4771 / 675 |
Security |
4775 |
Security |
4776 / 680 |
Security |
4778 / 682 |
Security |
4780 / 684 |
Security |
4794 |
Security |
4798 |
Security |
4817 |
Security |
4876 / 4877 |
Security |
4882 |
Security |
4885 |
Security |
4886 |
Security |
4887 |
Security |
4890 |
Security |
4891 |
Security |
4898 |
Security |
4899 |
Security |
4900 |
Security |
4902 |
Security |
4904 |
Security |
4905 |
Security |
4928 |
Security |
4946 |
Security |
4947 |
Security |
4948 |
Security |
4949 |
Security |
4950 |
Security |
4964 |
Security |
5025 |
Security |
5136 |
Security |
5137 |
Security |
5138 |
Security |
5139 |
Security |
5141 |
Security |
5142 |
Security |
5143 |
Security |
5144 |
Security |
5145 |
Security |
5148 |
Security |
5155 |
Security |
5376 |
Security |
5377 |
Security |
5632 |
Security |
5888 |
Security |
5889 |
Security |
5890 |
Security |
676 |
System |
1 |
System |
104 |
System |
1056 |
System |
12 |
System |
13 |
System |
6011 |
System |
7040 |
System |
7045 |
System, Source Netlogon |
5723 |
System, Source Netlogon |
5805 |
Terminal-Services-RemoteConnectionManager |
1149 |
Terminal-Services-RemoteConnectionManager |
1152 |
Terminal-Services-RemoteConnectionManager |
20523 |
Terminal-Services-RemoteConnectionManager |
258 |
Terminal-Services-RemoteConnectionManager |
261 |
Windows PowerShell |
400 |
Windows PowerShell |
500 |
Windows PowerShell |
501 |
Windows PowerShell |
800 |
Application, Source ESENT |
301 |
Application, Source ESENT |
302 |
Application, Source ESENT |
325 |
Application, Source ESENT |
326 |
Application, Source ESENT |
327 |
Application, Source ESENT |
2001 |
Application, Source ESENT |
2003 |
Application, Source ESENT |
2005 |
Application, Source ESENT |
2006 |
Application, Source ESENT |
216 |
Application |
1000 |
Application |
1002 |
Application |
1 / 2 |