Kaspersky Secure Mail Gateway

Configuring export of events in CEF format

To enable the export of events in Technical Support Mode, you must first upload the public SSH key in the application web interface.

You can save files containing exported events locally on the server, and configure their publication to an external SIEM system. If you do not need to save files locally, you can skip steps 4–7 of the instructions in this section.

Perform the instructions below on each cluster node whose events you want to export in CEF format.

To configure export of events in CEF format:

1. Connect to the Kaspersky Secure Mail Gateway virtual machine management console under the root account using a private SSH key.

   You will enter Technical Support Mode.

2. Make the following changes to the event export configuration file /opt/kaspersky/ksmg/share/templates/core_settings/event_logger.json.template:
   • If you want to select the Syslog category (facility) to which the events will be exported, specify one of the following values for the facility parameter in the siemSettings section:
     • Auth
     • Authpriv
     • Cron
     • Daemon
     • Ftp
     • Lpr
     • Mail
     • News
     • Syslog
     • User
     • Uucp
     • Local0
     • Local1
     • Local2
     • Local3
     • Local4
     • Local5
     • Local6
     • Local7

     It is recommended to specify a category (facility) for Syslog that is not used by other programs on the server.

     The default value is local2.

   • Set the enabled parameter value to true.
   • Define the export detail level by setting one of the following values for the logLevel parameter:
     • Error – export events related to errors.
     • Info – export all events.

       Example: "siemSettings": { "enabled": true, "facility": "Local2", "logLevel": "Info", }

3. In the /etc/rsyslog.conf file, change the string

   *.info;mail.none;authpriv.none;cron.none;local0.none;local1.none /var/log/messages

   to

   *.info;mail.none;authpriv.none;cron.none;local0.none;local1.none;<facility selected at step 2>.none /var/log/messages

4. Add the following string to the /etc/rsyslog.conf file:

   <facility selected at step 2>.* -/var/log/ksmg-cef-messages

5. Create the /var/log/ksmg-cef-messages file and configure its access rights. To do so, execute the commands:

   touch /var/log/ksmg-cef-messages

   chown root:klusers /var/log/ksmg-cef-messages

   chmod 640 /var/log/ksmg-cef-messages

6. Configure the rules for rotating files containing exported events. To do so, add the following strings to the /etc/logrotate.d/ksmg-syslog file:

   /var/log/ksmg-cef-messages

   {

   size 500M

   rotate 10

   notifempty

   sharedscripts

   postrotate

   /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true

   endscript

   }

7. Restart the rsyslog service. To do so, run the following command:

   service rsyslog restart

8. In the application web interface, in the Settings → Logs and events → Events section, modify the value of any setting and click Save.

   This is necessary for synchronization of parameters among cluster nodes and for applying changes that were made to the configuration file. Then you can restore the original value of a modified parameter.

Export of events in CEF format is now configured.