This section describes how to configure AlienVault USM / OSSIM for forwarding events to Kaspersky CyberTrace.
To configure AlienVault USM / OSSIM for forwarding events to Kaspersky CyberTrace:
/etc/rsyslog.conf
file:if ($fromhost-ip == '%DEVICE_IP%') then {action (type="omfwd" Target="%CyberTrace_IP_IN%" Port="%CyberTrace_PORT_IN%" Protocol="tcp" Device="%INTERFACE%") action (type="omfile" File="%PATH%")}
Here:
%CyberTrace_IP_IN%
—IP address of the computer on which Kaspersky CyberTrace runs.%CyberTrace_PORT_IN%
—Port that Kaspersky CyberTrace listens on for incoming events.%INTERFACE%
—Name of the network interface of the computer on which AlienVault USM / OSSIM runs, which will be used for forwarding events to Kaspersky CyberTrace.For example, eth0
.
%DEVICE_IP%
—IP address of the device from which events arrive at AlienVault USM/OSSIM and must be forwarded to Kaspersky CyberTrace.action (type="omfile" File="%PATH%")
—Instructions for the rsyslog service to store those events in AlienVault USM / OSSIM that are forwarded to Kaspersky CyberTrace.%PATH%
— Path to the file in which the events will be stored. %PATH%
can be any file where you want to store the forwarded events.
action (type="omfile" File="%PATH%")
—Optional. You can specify this command during the integration process in order to check the following:
When the integration process is finished, it is recommended to remove this line from the configuration file.
This rule must be added after the text # rsyslog zasec.conf
. If this text is not present in the configuration file, add the rule before the following lines:
if not ($fromhost-ip == '127.0.0.1') then -/var/log/ossim/asec_unk.log
if not ($fromhost-ip == '127.0.0.1') then ~
/etc/init.d/rsyslog restart