Configuring export of KWTS events to KUMA

To configure the export of KWTS events to KUMA:

1. Connect to the KWTS server over SSH as root.
2. Before making changes, create backup copies of the following files:
   • /opt/kaspersky/kwts/share/templates/core_settings/event_logger.json.template
   • /etc/rsyslog.conf
3. Make sure that the settings in the /opt/kaspersky/kwts/share/templates/core_settings/event_logger.json.template configuration file have the following values, and make changes if necessary:

   "siemSettings":

   {

   "enabled": true,

   "facility": "Local5",

   "logLevel": "Info",

   "formatting":

   {

4. Save your changes.
5. To send events via UDP, make the following changes to the /etc/rsyslog.conf configuration file:

   $WorkDirectory /var/lib/rsyslog

   $ActionQueueFileName ForwardToSIEM

   $ActionQueueMaxDiskSpace 1g

   $ActionQueueSaveOnShutdown on

   $ActionQueueType LinkedList

   $ActionResumeRetryCount -1

   local5.* @<<IP address of the KUMA collector>:<port of the collector>>

   If you want to send events over TCP, the last line should be as follows:

   local5.* @@<<IP address of the KUMA collector>:<port of the collector>>

6. Save your changes.
7. Restart the rsyslog service with the following command:

   sudo systemctl restart rsyslog.service

8. Go to the KWTS web interface, to the Settings – Syslog tab and enable the Log information about traffic profile option.
9. Click Save.

Page top