Forwarding events from AlienVault USM / OSSIM to Kaspersky CyberTrace

Support

Support for business applications

Kaspersky CyberTrace

Installation and integration guides

Part 2: Integrating Kaspersky CyberTrace with an event source

Integration with AlienVault USM/OSSIM

Forwarding events from AlienVault USM / OSSIM to Kaspersky CyberTrace

April 11, 2024

ID 183921

This section describes how to configure AlienVault USM / OSSIM for forwarding events to Kaspersky CyberTrace.

To configure AlienVault USM / OSSIM for forwarding events to Kaspersky CyberTrace:

For every device from which events will be forwarded to Kaspersky CyberTrace, add the following rule to the /etc/rsyslog.conf file:
if ($fromhost-ip == '%DEVICE_IP%') then {action (type="omfwd" Target="%CyberTrace_IP_IN%" Port="%CyberTrace_PORT_IN%" Protocol="tcp" Device="%INTERFACE%") action (type="omfile" File="%PATH%")}

Here:
- %CyberTrace_IP_IN%—IP address of the computer on which Kaspersky CyberTrace runs.
- %CyberTrace_PORT_IN%—Port that Kaspersky CyberTrace listens on for incoming events.
- %INTERFACE%—Name of the network interface of the computer on which AlienVault USM / OSSIM runs, which will be used for forwarding events to Kaspersky CyberTrace.
  For example, eth0.
- %DEVICE_IP%—IP address of the device from which events arrive at AlienVault USM/OSSIM and must be forwarded to Kaspersky CyberTrace.
- action (type="omfile" File="%PATH%")—Instructions for the rsyslog service to store those events in AlienVault USM / OSSIM that are forwarded to Kaspersky CyberTrace.
  %PATH%— Path to the file in which the events will be stored. %PATH% can be any file where you want to store the forwarded events.
  
  action (type="omfile" File="%PATH%")—Optional. You can specify this command during the integration process in order to check the following:
  - The fact that events are forwarding to Kaspersky CyberTrace
  - List of the events that are being forwarded to Kaspersky CyberTrace
  When the integration process is finished, it is recommended to remove this line from the configuration file.
This rule must be added after the text # rsyslog zasec.conf. If this text is not present in the configuration file, add the rule before the following lines:

if not ($fromhost-ip == '127.0.0.1') then -/var/log/ossim/asec_unk.log

if not ($fromhost-ip == '127.0.0.1') then ~
Restart the rsyslog service by running the following command:
/etc/init.d/rsyslog restart

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.