Configuring collectors in KUMA

In KUMA, you need to create four collectors to receive Kaspersky NGFW security events:

• A collector for events from the Kaspersky NGFW plug-in in the Open Single Management Platform
• A collector for audit events of the Open Single Management Platform
• A collector for Kaspersky NGFW events in CEF format
• A collector for Kaspersky NGFW events received via syslog

You can import collectors and all necessary resources for KUMA from the kuma-kngfw-1.1.0 file included in the distribution kit, or create these manually following the instructions in the KUMA Help.

To configure collectors in KUMA:

1. Open the KUMA web interface.
2. Import resources:
   1. Go to the Resources section and click Resource import.

      This opens the Resource import window.

   2. In the Tenant drop-down list, select the default tenant (Root tenant).
   3. In the Import source drop-down list, select File.
   4. Enter the password for the file and select the kuma-kngfw-1.1.0 file from the distribution kit.
   5. Select the resources to import: All resources.
   6. Click Import.
   7. Resolve conflicts between resources imported from the file and existing resources, if any. For details, see the KUMA Help.

   The following collectors and the connectors and normalizers that they require will be imported:

   • ngfw_ksc_plugin_collector
   • ngfw_cef_collector
   • ngfw_syslog_collector
   • KSC log collector
3. Create a storage service:
   1. Go to Resources → Active services and click Add.
   2. Select the default storage ([OOTB] Storage).
   3. Click Create service.
   4. In the Services section, select the check box next to the created service ([OOTB] Storage) and click Copy ID in the menu.
   5. On the server where KUMA is installed, run the command to create a storage service:

      sudo /opt/kaspersky/kuma/kuma storage --core https://kumatest.localdomain:7210 --id <service ID copied from the KUMA web interface> --api.port 7221 --install

4. Create the necessary spaces:
   1. Go to the Resources → Storages section and click the line with the default storage ([OOTB] Storage).
   2. In the Spaces section, click Add space.
   3. In the Name field, enter a name for the space you are creating: dataplane_events, service_events, management_events, or system_events.
   4. Under Filter parameters, in the Filter drop-down list, select Create new.
   5. Click Add condition and add the following conditions for the spaces you are creating:
      • For dataplane_events:

        (DeviceEventClassID = Firewall, SSL Inspection, URL Antivirus, File Antivirus, IDPS, Web Control, DNS Security, Explicit Proxy)

      • For system_events:

        (DeviceEventClassID = Update of the malware signature database, System time, Integrity check, Monitoring security functions, HW and SW faults, Cluster operation)

      • For management_events:

        (DeviceEventClassID = Authentication Event, Traffic filtering management, IP address settings, MAC address settings, General functions settings, General functions management, Security functions management, Journal management)

      • For service_events:

        (DeviceEventClassID = 'Service')

        To add more spaces, click Add space and repeat steps b through e for each space.

   6. Click Сохранить.
5. Change the secret for the connection to the Open Single Management Platform database:
   1. Go to the Resources → Secrets section and click the line with the ksc_secret secret.
   2. In the URL field, specify the address for the server connection in the following format:

      postgres://user:password@kscdb.example.com:5432/database

      where:

      • user is the user account with permission to SELECT from the public schema and CONNECT to the required database.
      • password is the password of the user account.
      • kscdb.example.com:5432 is the address and port of the database server.
      • database is the name of the Open Single Management Platform database.
   3. Click Сохранить.
6. Add the default storage ([OOTB] Storage) to the imported collectors: ngfw_ksc_plugin_collector, ngfw_cef_collector, ngfw_syslog_collector, KSC log collector.
   1. Go to the Resources → Collectors section and select the Root tenant.
   2. Click the line with the required collector.
   3. Go to the Routing section and, if necessary, delete the existing storages.
   4. Click Add.

      This opens the window for creating a destination.

   5. Enter the storage name, [OOTB] Storage.
   6. In the Kind drop-down list, select storage.
   7. In the URL field, select the suggested address for [OOTB] Storage.
   8. Click Сохранить.
7. Install collectors on the server:
   1. Go to the Resources → Collectors section and select the Root tenant.
   2. Click the line with the required collector.
   3. Go to the Setup validation section and click Save and create.
   4. This opens a window; in that window, copy the command from the Recommended command for collector installation field and run the copied command on the command line to install the collector on the server.
8. Update the service configuration:
   1. Go to the Resources → Active services section.
   2. Select the services that need to be updated and click Update configuration.

In the KUMA application, the necessary collectors are configured to receive events from Kaspersky NGFW.

Page top