Before enabling event export in CEF format, you must install the siem_logging_fixes.zip update package on each node of the Kaspersky Web Traffic Security cluster. Contact Technical Support to get the update package.
To enable the export of events in Technical Support Mode, you must first upload the SSH public key in the web interface of the application and configure the publishing of application events to the SIEM system.
Follow the steps below on each node of the cluster from which you want to export events in the CEF format.
To configure the export of events in the CEF format:
If Kaspersky Web Traffic Security was installed from an rpm or deb package, start the command shell of the operating system to run commands with superuser (system administrator) permissions.
cp -p event_logger.json.template event_logger.json.template.backup
siemSettings
section (make sure to observe the syntax and structure of the JSON file):"enabled": true,
"facility": "Local5",
"logLevel": "Info",
This is necessary to synchronize settings among cluster nodes and apply changes made to the configuration file. You can then restore the previous value of the setting you edited.
/opt/kaspersky/kwts/bin/kwts-control --get-settings 20 --format json | grep -A 4 siemSettings
The response must contain the settings with the values specified in step 3.
Export of events in CEF format is configured.
If you want to disable the export of events in the CEF format, follow the steps of the instructions above and at step 3, set "enabled": false
.