You can enable automatic event export in Kaspersky Security Center.
Only general events can be exported from managed applications over the CEF and LEEF formats. Application-specific events cannot be exported from managed applications over the CEF and LEEF formats. If you need to export events of managed applications or a custom set of events that has been configured using the policies of managed applications, you have to export the events in the Syslog format.
To enable automatic export of events:
In the Kaspersky Security Center console tree, select the Administration Server whose events you want to export.
In the workspace of the selected Administration Server, select the Events tab.
Click the drop-down arrow next to the Configure notifications and event export link, and then select Configure export to SIEM system in the drop-down list.
The events properties window opens, displaying the Event export section.
In the Event export section, specify the following export settings:
Event export section of the event properties window
Select this check box to enable automatic export of events to SIEM systems. Selecting this check box enables all fields in the Exporting events section.
Specify the maximum size (in bytes) of one message relayed to the SIEM system. Each event is relayed in one message. If the actual length of a message exceeds the specified value, the message is truncated and data may be lost. The default size is 2048 bytes. This field is available only if you selected the Syslog format in the SIEM system field.
Specify the port number to connect to the SIEM system server. This port number must be the same as that, which your SIEM system uses to receive the events (see section Configuring a SIEM system for details).
Select the protocol to be used for transferring messages to the SIEM system. You can select either the TCP/IP, UDP, or TLS over TCP protocol.
Specify the following TLS settings if you select the TLS over TCP protocol:
SIEM server authentication
Choose one of the following ways to authenticate the SIEM system server:
By using CA certificates. You can receive a file with a list of certificates from a trusted certification authority (CA) and upload the file to Kaspersky Security Center. Kaspersky Security Center checks whether the SIEM system server certificate is also signed by a trusted CA or not.
To add a trusted certificate, click the Browse button, and then upload the certificate.
If you select the By using CA certificates option, you can specify subject names in the Subjects of server certificates (optional) field. Subject name is a domain name for which the certificate is received. Kaspersky Security Center cannot connect to the SIEM system server if the domain name of the SIEM system server does not match the subject name of the SIEM system server certificate. However, the SIEM system server can change its domain name if you change the subject name in the certificate. To do this, specify the subject names in the Subjects of server certificates (optional) field. If any of the specified subject names matches the subject name of the SIEM system certificate, Kaspersky Security Center validates the SIEM system server certificate.
By using SHA1 thumbprints of server certificates. You can specify SHA-1 thumbprints of the SIEM system certificates in Kaspersky Security Center. To add a SHA-1 thumbprint, enter it in the field under the option.
Client authentication
For client authentication, you can insert your certificate or generate it in Kaspersky Security Center.
Insert certificate. You can use a certificate that you received from any source, for example, from any trusted CA. To insert an existing certificate, click the Browse for certificate button. In the opened Certificate window, choose one of the following certificate types, and then specify the certificate and its private key:
X.509 certificate. Upload a file with a private key in the Private key (*.prk, *.pem) field, and a file with a certificate in the Certificate (*.cer) field. To do this, click the Browse button to the right of the corresponding field, and then add the required file. Both files do not depend on each other and the order of loading the files is not significant. After you upload both files, specify the password for decoding the private key in the Password field. The password can have an empty value if the private key is not encoded.
PKCS #12 container. Upload a single file that contains a certificate and its private key in the Certificate file field. To do this, click the Browse button to the right of the field, and then add the required file. After you upload the file, specify the password for decoding the private key in the Password field. The password can have an empty value if the private key is not encoded.
Generate key. You can generate a self-signed certificate in Kaspersky Security Center. Click the Generate certificate button, and then enter a subject name in the Subject field. The client certificate is generated for this subject name and the SHA-1 thumbprint of this certificate is displayed in the SHA1 thumbprint of client certificate field. As a result, Kaspersky Security Center stores the generated self-signed certificate, and you can pass the public part of the certificate or SHA-1 thumbprint to the SIEM system.
If you want to export to the SIEM system database the events that occurred after a specified date in the past, click the Export archive button, and then specify the start date for event export. By default, the event export starts immediately after you enable it.
To check that the SIEM system connection is successfully configured, click the Test settings button.
The application tries to establish connection with the SIEM system server and send a test event. The connection status is displayed.
Click OK.
Automatic export of events is enabled.
After enabling automatic export of events, you must select which events will be exported to the SIEM system.
