In Kaspersky Endpoint Security for Linux, starting from version 12.2, events can be sent from Linux logs to a KUMA collector. This allows KUMA to receive events from Linux logs from all hosts on which Kaspersky Endpoint Security for Linux version 12.2 is installed. To activate the functionality, you need:
Configuring the receipt of events involves the following steps:
In KUMA, you must configure getting updates through Kaspersky update servers.
Click Resource import and select [OOTB] KESL syslog cef in the list of available normalizers.
To receive Linux events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] KESL syslog cef normalizer.
If your license did not include a key for activating the functionality of sending Linux logs to the KUMA collector, send the following message to Technical Support: "We have purchased a KUMA license and are using Kaspersky Endpoint Security for Linux version 12.2. We want to activate the functionality of sending Linux logs to the KUMA collector. Please provide a key file to activate the functionality." New KUMA users do not need to make a Technical Support request because new users get 2 keys with licenses for KUMA and for activating the Kaspersky Endpoint Security for Linux functionality.
In response to your message, you will get a key file.
A key file that activates the functionality of sending Linux events to KUMA collectors must be imported into Kaspersky Security Center and distributed to Kaspersky Endpoint Security endpoints in accordance with the instructions. You must also add KUMA server addresses to the Kaspersky Security Center policy and specify network connection settings.
You can verify that the Linux event source server is correctly configured in the Searching for related events section of the KUMA web interface.
Kaspersky Endpoint Security for Linux sends the following events: