Step 7. Configuring log forwarding to Kaspersky CyberTrace

This section explains how to configure LogRhythm to forward logs to Kaspersky CyberTrace. Configuring LogRhythm includes adding a log receiver and adding a log distribution policy.

Adding a log receiver

In LogRhythm, create a new log receiver. This log receiver will represent Kaspersky CyberTrace.

To add a log receiver to LogRhythm:

1. Run LogRhythm Console.
2. Select Deployment Manager > Tools > Distribution > Log Distribution Services > Receiver Manager.

   The Log Distribution Receiver Manager window opens.

3. Select File > New.
4. Fill in the fields of the Syslog Receiver Properties window that opens:
   • Specify the IP address of the remote host on which Kaspersky CyberTrace is installed (the IP address specified in the InputSettings > ConnectionString element of the Kaspersky CyberTrace Service configuration file).
   • Specify the remote port that Kaspersky CyberTrace listens on for events (the port specified in the InputSettings > ConnectionString element of the Kaspersky CyberTrace Service configuration file).
   • Change Network Protocol to TCP.
   • Undo the Truncate message to 1024 bytes (RFC 3164) check box.
5. Click OK.
6. After a new row appears in the table, right-click the row, and then select Enable.

Adding a log distribution policy

After the log receiver is added, set the conditions by adding a log distribution policy for events to be forwarded to Kaspersky CyberTrace.

To add a log distribution policy:

1. Select Deployment Manager > Tools > Distribution > Log Distribution Services > Policy Manager.
2. In the Log Distribution Policy Manager window that opens, select File > New.

   The Log Distribution Policy Wizard starts. Proceed through the wizard by using the Next button.

3. Select Selected Log Source Lists or Selected Log Sources.

   

   Select Log Sources window

4. In the window, that opens, use filtering to specify the log sources for the events that must be forwarded to Kaspersky CyberTrace.

   Make sure that Kaspersky CyberTrace in not selected as a log source for forwarding, because that will result in events looping. For the same reason, do not select All available Log Sources in the previous step.

5. In the Event Distribution Criteria window, you can define more precise filters for the log sources specified in the previous step.

   For more details on defining these filters, refer to the LogRhythm documentation.

   We recommend that you do not specify these filters.

6. If you did not specify any filters in the previous step, a confirmation window appears, as shown in the figure below.

   Click Yes.

   

   Confirmation of forwarding all logs without applying filters

7. In the Select Distribution Receivers window, select Kaspersky CyberTrace.

   

   Select Distribution Receivers window

8. In the Define Syslog Sender Override Settings window, leave the default settings.

   

   Define Syslog Sender Override Settings window

9. In the Additional Information window, enter the policy name, and then click OK.

   

   Additional Information window

10. After the Log Distribution Policy Wizard finishes, the new row appears in the table.

    Right-click the new row in the table, and then select Enabled.

The computer on which Kaspersky CyberTrace is installed will now receive logs. You can check this by using the netcat utility.

Displaying detection events in LogRhythm

As a result of the above actions, LogRhythm will receive and display detection events. The events will also appear in the web console, which is available at https://<logrhythmIP>:8443 or at https://<logrhythmIP>:80.