Exporting events to SIEM systems

Kaspersky Container Security allows you to send event messages to SIEM systems for collection, analysis, and subsequent response to potential security risks. The messages contain data for the same types and categories of events that are logged in the security event log.

The data about the system events is transmitted as the integration with the SIEM system is configured during the installation of the solution. Event messages are forwarded to the SIEM registration server in the CEF format over TCP or UDP using the provided port (typically port 514). When the solution is deployed, these parameters are specified in the values.yaml configuration file:

CEF_PROTOCOL=tcp

CEF_HOST=<ip address>

CEF_PORT=<port>

The transmitted message consists of the following components:

1. The Syslog header, which specifies the date, time, and host name.

   A standard for sending and logging system event messages used for the UNIX and GNU/Linux platforms.

2. Prefix and CEF version number.
3. Device vendor.
4. Solution name.
5. Solution version.
6. Solution-generated unique event type code.
7. Event description.
8. Event severity assessment.
9. Additional information, such as device IP address, event reason, event result, and event status.

Example of a message forwarded to a SIEM system