To configure forwarding events from KATA to the KUMA SIEM system:

1. Open the Web Console of the KATA Central Node: select the Local administrator check box and enter the administrator credentials.

2. Go to Settings → SIEM system.
3. Fill in the required fields:
   • Data to send: select the Activity log and Alerts check boxes.
   • Host/IP: enter the IP address or FQDN address of the KUMA collector.
   • Port: enter the port of the KUMA collector.
   • Protocol: select the TCP or UDP.
   • Host ID: enter the server host ID that will be specified in the SIEM system log as an alert source.
   • Heartbeat: specify the number of minutes from 1 to 59.
   • TLS decryption: this setting is disabled by default. Enable if required.
4. Click Apply.

After configuring event forwarding to KATA, create a collector in KUMA:

1. Open KUMA, go to the Resources section and select Collectors.

2. Select the required folder and click Add.
3. Fill in the fields in the Connect sources section at your discretion.
4. Go to the Transport section and specify the type (also referred to as kind in KUMA) and port of the collector according to the KATA settings.

5. Go to the Event parsing and click Add event parsing.
6. In the Normalizer drop-down menu, select [OOTB] KATA and click OK.

7. Check that the Storage and Correlator destination points are added to the resource set in the Routing section.
   If the points are absent, add them.

8. Go to the Setup validation section and click Create and save service.

9. Copy the command for KUMA collector installation.

10. Type sudo in the beginning of the copied command and run it on the server with the Collector role.

Example: