Configuring the publishing of application events to a SIEM system

To configure event publishing in Technical Support Mode, you must first upload the SSH public key in the web interface of the application.

Follow the steps below on each node of the cluster from which you want to publish events to the SIEM system. You should only enable export of events in CEF format after configuring the publishing of events.

To configure the publishing of application events to a SIEM system:

  1. If Kaspersky Web Traffic Security was installed from an iso file, connect to the management console of the Kaspersky Web Traffic Security virtual machine under the root account using the SSH private key. This takes you to the Technical Support Mode.

    If Kaspersky Web Traffic Security was installed from an rpm or deb package, start the command shell of the operating system to run commands with superuser (system administrator) permissions.

  2. Events are sent to an external SIEM system using the rsyslog system logging service. To make sure the service is installed and running, run the following command:

    systemctl status rsyslog

    The status of the service must be running.

    If the rsyslog service is not running or is not installed, install and enable the rsyslog service in accordance with the documentation of your operating system.

  3. Specify the address and port for connecting to the server with the SIEM system. To do this, create the /etc/rsyslog.d/kwts-cef-messages.conf file and add the following lines to it:

    $ActionQueueFileName ForwardToSIEM5

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    local5.*@@<IP address of the SIEM system>:<port on which the SIEM system receives messages from Syslog via the TCP protocol>

    local5.* stop

    Example:

    $ActionQueueFileName ForwardToSIEM5

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    local5.* @@10.16.32.64:514

    local5.* stop
  4. Restart the rsyslog service. To do so, execute the command:

    systemctl restart rsyslog

  5. Check the status of the rsyslog service using the following command:

    systemctl status rsyslog

    The status must be running.

  6. Send a test message to the SIEM system:

    logger -p local5.info Test message

The publishing of application events to the SIEM system is configured.

Page top