Configuring Kaspersky Security Center to send events to KUMA
If you want to be able to see task related information from Kaspersky Security Center in KUMA, you must configure exporting Kaspersky Security Center events using the CEF format and select event types that must be exported from Kaspersky Security Center.
To export Kaspersky Security Center events to KUMA:
In the Kaspersky Security Center console tree, select the Administration Server whose events you want to export.
In the workspace of the selected Administration Server, click the Events tab.
Click the drop-down arrow next to the Configure notifications and event export link and select Configure export to SIEM system in the drop-down list.
The events properties window opens, displaying the Event export section.
In the Event export section, specify the following export settings:
Select the Automatically export events to SIEM system database check box.
In the SIEM system drop-down list select ArcSight (CEF format).
In the SIEM system server address field, enter the web address of the KUMA collector server that will be used to receive events from Kaspersky Security Center.
In the SIEM system server port field, enter the port where the KUMA collector server will expect Kaspersky Security Center events.
In the Protocol drop-down list select TCP/IP.
Click OK.
Automatic export of Kaspersky Security Center events will be enabled. For more information about exporting events from Kaspersky Security Center to SIEM systems, please refer to the Kaspersky Security Center Online Help Guide.
To select event types for export for each Kaspersky Security Center policy you need:
In the console tree of Kaspersky Security Center, select the Policies node.
Right-click to open the context menu of the relevant policy and select Properties.
In the policy properties window that opens, select the Event configuration section.
In the Info tab select the Task started and Task completed event types and click the Properties button.
In the event properties window that appears, select the Export to SIEM system using Syslog check box to enable export for the selected events.
Click OK to save the changes.
In the policy properties window, click OK.
The selected events will be sent to the KUMA over the Syslog protocol. For more information about exporting events from Kaspersky Security Center using the Syslog protocol, please refer to the Kaspersky Security Center Online Help Guide.
You must configure KUMA Collector to be able to receive Kaspersky Security Center events. Events from Kaspersky Security Center have DeviceProduct = SecurityCenter field value, which can be used to search them in KUMA.
Example collector for receiving Kaspersky Security Center events is included to KUMA installation package. It is named [Example] KSC. It consists of the connector that listens for TCP port 5141 and, more importantly, of the normalizer [Example] KSC that can you can use to process Kaspersky Security Center events in your own collectors.