Configuring the export of events to a SIEM system

Kaspersky NGFW allows configuring the export of events in the CEF format to a SIEM system. CEF is an 'open log' standard that improves the compatibility of security information from different network devices and applications. The CEF protocol allows using a common event log format to help enterprise management systems get and aggregate data for analysis.

Before configuring event export, you need to:

• Configure a connector in the SIEM system.
• Configure the SIEM system.
• Make sure that logging is enabled in the security rules and in the profiles of the security engines for which you want to send events.
• Make sure the relevant audit events are enabled.

Events of the Firewall type are logged in the session log only after the session is removed. While the session is active, all information about it is displayed in the Session Manager. In the event logs of security engines, records are created immediately after either an action specified in the profile or an exclusion is triggered.

By default, event export to a SIEM system is disabled.

To configure event export to a SIEM system:

1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

   This opens the Policy tab.

2. In the System section, select Security events.
3. Select the SIEM settings tab and set the Status toggle switch to On.
4. Enter the IPv4 address of the SIEM system collector and the port for connecting to the server in the corresponding fields.
5. In the Timeout for sending events (min) field, specify the SIEM system unavailability duration in minutes, after which security events are written to local temporary files. By default, this period is 5 minutes.
6. Select one of the following protocols:
   • UDP
   • TCP
   • TCP with TLS encryption.
   • HTTPS

   TLS-encrypted TCP and HTTPS use TLS encryption to send events in an encrypted form. Kaspersky NGFW supports TLS encryption version 1.2 and later.

   The HTTPS protocol guarantees secure delivery of events to the SIEM system with delivery confirmation.

   If security events are exported to the SIEM system as plain text (for example, if you use a UDP connection or do not use TLS encryption for a TCP connection), then we do not recommend using open communication channels through public networks.

7. If you have selected the TCP with TLS encryption or HTTPS protocol, upload an SSL certificate to authenticate the SIEM server and send encrypted events:
   1. In the Server certificate field, click the Upload button to open the file selection window and select your certificate file.

      The certificate file must be in text format with the .pem extension. The certificate must be valid. Before the uploaded certificate expires, a notification is logged in the service event log.

      The trust in the SIEM server certificate is guaranteed by the administrator that uploads the certificate.

      After successfully uploading the certificate, information about this certificate is displayed in the Server certificate information section. You can click the file name of the uploaded certificate in this section to view the contents of the file. The following actions are also available in the opened window:

      • Download downloads the certificate file.
      • Copy all copies the contents of the file.
   2. If you want to delete the uploaded certificate file, hover over the Server certificate field, click the trashcan icon and confirm the action. The certificate is removed from the Kaspersky NGFW device.

      After that, you need to select a different protocol or upload a different certificate for TCP protocols with TLS encryption or HTTPS.

8. Apply the OSMP policy changes by clicking the Commit and push button.

The status of the connection to the SIEM system (if it can be monitored for the selected protocol) and actions performed with the SIEM server certificate are recorded in the system event log.

If an event cannot be sent to the collector of the SIEM system, such an event is stored in a buffer. If the buffer becomes full, new events overwrite the oldest events in the buffer. Older events pushed out of the buffer are saved locally to a temporary file on the device. You can also configure persistent local storage of events.

If security messages cannot be sent to the SIEM system, SNMP traps are sent to the SNMP server.

After the connection is restored, events from the buffer and the temporary files are sent to the SIEM system.

You can minimize the disconnections of Kaspersky NGFW devices from the SIEM system collector in the following ways:

• Place a collector next to each Kaspersky NGFW device in the data center or branch office.
• Provide backup links for connecting the branch office to the collector.
• Place backup collectors on independent servers that use independent links to connect to the network.

The SIEM connection configuration persists across restarts of the Kaspersky NGFW device.

The Kaspersky NGFW device does not check the availability of SIEM system collectors. To monitor the availability of collectors, use mechanisms on the side of the collectors and configure notifications to be sent when the event source becomes unavailable.

To view each security event log as a separate log (out of the whole event stream in KUMA), you can use a script with a collection of saved SQL queries that act as pre-filters used to display events from each security event log.

Page top