Configuring Windows event reception using Kaspersky Endpoint Security for Windows

In KES for Windows, starting from version 12.6, events can be sent from Windows logs to a KUMA collector. In this way, KUMA can get events from Windows logs (a limited set of EventIDs of Microsoft products is supported) from all hosts with KES for Windows 12.6 without installing KUMA agents on such hosts. To activate the functionality, you need:

Configuring event receiving consists of the following steps:

  1. Importing the normalizer into KUMA.

    In KUMA, you must configure getting updates through Kaspersky update servers.

    Click Import resources and in the list of normalizers available for installation, select [OOTB] Microsoft Products via KES WIN.

  2. Creating a KUMA collector for receiving Windows events.

    To receive Windows events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] Microsoft Products via KES WIN normalizer. At the Event filtering step, select the [OOTB] Microsoft Products via KES WIN - Event filter for collector filter.

  3. Requesting a key from KUMA Technical Support.

    If your license did not include a key for activating the functionality of sending Windows logs to the KUMA collector, send the following message to Technical Support: "We have purchased a KUMA license and are using KES for Windows version 12.6. We want to activate the functionality of sending Windows logs to the KUMA collector. Please provide a key file to activate the functionality." New KUMA users do not need to make a Technical Support request because new users get 2 keys with licenses for KUMA and for activating the KES for Windows functionality.

    In response to your message, you will get a key file.

  4. Configuration on the side of KSC and KES for Windows.

    A key file that activates the functionality of sending Windows events to KUMA collectors must be imported into KSC and distributed to KES endpoints in accordance with the instructions. You must also add KUMA server addresses to the KES policy and specify network connection settings.

  5. Verifying receipt of Windows events in the KUMA collector

    You can verify that the Windows event source server is correctly configured in the Searching for related events section of the KUMA web interface.

    Microsoft product events transmitted by KES for Windows are listed in the following table:

    Event log

    Event identifier

    DNS Server

    150

    DNS Server

    770

    MSExchange Management

    1

    Security

    4781

    Security

    6416

    Security

    1100

    Security

    1102 / 517

    Security

    1104

    Security

    1108

    Security

    4610 / 514

    Security

    4611

    Security

    4614 / 518

    Security

    4616 / 520

    Security

    4622

    Security

    4624 / 528 / 540

    Security

    4625 / 529

    Security

    4648 / 552

    Security

    4649

    Security

    4662

    Security

    4663

    Security

    4672 / 576

    Security

    4696

    Security

    4697 / 601

    Security

    4698 / 602

    Security

    4702

    Security

    4704 / 608

    Security

    4706

    Security

    4713 / 617

    Security

    4715

    Security

    4717 / 621

    Security

    4719 / 612

    Security

    4720 / 624

    Security

    4722 / 626

    Security

    4723 / 627

    Security

    4724 / 628

    Security

    4725 / 629

    Security

    4726 / 630

    Security

    4727

    Security

    4728 / 632

    Security

    4729 / 633

    Security

    4732 / 636

    Security

    4733 / 637

    Security

    4738 / 642

    Security

    4739 / 643

    Security

    4740 / 644

    Security

    4741

    Security

    4742 / 646

    Security

    4756 / 660

    Security

    4757 / 661

    Security

    4765

    Security

    4766

    Security

    4767

    Security

    4768 / 672

    Security

    4769 / 673

    Security

    4770

    Security

    4771 / 675

    Security

    4775

    Security

    4776 / 680

    Security

    4778 / 682

    Security

    4780 / 684

    Security

    4794

    Security

    4798

    Security

    4817

    Security

    4876 / 4877

    Security

    4882

    Security

    4885

    Security

    4886

    Security

    4887

    Security

    4890

    Security

    4891

    Security

    4898

    Security

    4899

    Security

    4900

    Security

    4902

    Security

    4904

    Security

    4905

    Security

    4928

    Security

    4946

    Security

    4947

    Security

    4948

    Security

    4949

    Security

    4950

    Security

    4964

    Security

    5025

    Security

    5136

    Security

    5137

    Security

    5138

    Security

    5139

    Security

    5141

    Security

    5142

    Security

    5143

    Security

    5144

    Security

    5145

    Security

    5148

    Security

    5155

    Security

    5376

    Security

    5377

    Security

    5632

    Security

    5888

    Security

    5889

    Security

    5890

    Security

    676

    System

    1

    System

    104

    System

    1056

    System

    12

    System

    13

    System

    6011

    System

    7040

    System

    7045

    System, Source Netlogon

    5723

    System, Source Netlogon

    5805

    Terminal-Services-RemoteConnectionManager

    1149

    Terminal-Services-RemoteConnectionManager

    1152

    Terminal-Services-RemoteConnectionManager

    20523

    Terminal-Services-RemoteConnectionManager

    258

    Terminal-Services-RemoteConnectionManager

    261

    Windows PowerShell

    400

    Windows PowerShell

    500

    Windows PowerShell

    501

    Windows PowerShell

    800

    Application, Source ESENT

    301

    Application, Source ESENT

    302

    Application, Source ESENT

    325

    Application, Source ESENT

    326

    Application, Source ESENT

    327

    Application, Source ESENT

    2001

    Application, Source ESENT

    2003

    Application, Source ESENT

    2005

    Application, Source ESENT

    2006

    Application, Source ESENT

    216

    Application

    1000

    Application

    1002

    Application

    1 / 2

Page top