Step 6. Adding a log source to System Monitor Agent

February 27, 2024

ID 183792

This section describes the actions to perform so that a new log source pertaining to Kaspersky CyberTrace will appear in LogRhythm. If LogRhythm is already configured properly, you do not need to take action, as the new log source will appear in LogRhythm and you only have to check that everything is as you specified.

To create conditions for a log source pertaining to Kaspersky CyberTrace to be added to LogRhythm:

  1. Run LogRhythm Console.
  2. Select Deployment Manager > System Monitors.
  3. Right-click on the selected agent, and then click Properties in the context menu.

    Deployment Manager window in LogRhythm. Shortcut menu.

    Agent context menu

    The System Monitor Agent Properties window opens.

  4. Select the Syslog and Flow Settings tab.
  5. Select the Enable Syslog Server check box.

    System Monitor Agent Properties window in LogRhythm.

    System Monitor Agent Properties window

  6. Click OK.
  7. Turn off Windows Firewall or add exclusions to it so that incoming SYSLOG events can arrive.
  8. Select Deployment Manager > Data Processors > Properties > Advanced.

    The Data Processor Advanced Properties window opens.

  9. In the table, select the following items. Property names are in the Name column and the Value column contains the check boxes to be selected:
    • AutomaticLogSourceConfigurationNetFlow
    • AutomaticLogSourceConfigurationsFlow
    • AutomaticLogSourceConfigurationSNMPTrap
    • AutomaticLogSourceConfigurationSyslog

    Data Processor Advanced Properties window in LogRhythm.

    Data Processor Advanced Properties window

  10. Click OK.
  11. Restart LogRhythm if necessary.

    LogRhythm will inform you whether a restart is required.

After Kaspersky CyberTrace sends an event, a new item appears on the Log Sources tab.

To accept the new log source:

  1. Right-click the new item, and then select Actions > Resolve Log Source Hosts.
  2. Double-click the new item.

    The Log Source Acceptance Properties window opens.

    Log Source Acceptance Properties window in LogRhythm.

    Log Source Acceptance Properties window

  3. Edit the properties:
    • Specify the log source host.
    • Specify Kaspersky CyberTrace as the log source type.
    • Specify the MPE policy that you added in step 4.
  4. Click OK.
  5. If an error message appears saying that you cannot use an unknown log source host, add a new entity as follows:
    1. In LogRhythm Console, select the Entities tab.
    2. Click the New Child Entity toolbar button.

      New Child Entity (plus) button in LogRhythm.

    3. In the Entity Properties window that opens, specify the entity properties.

      Entity Properties window in LogRhythm.

      The entity name must be unique and non-empty. Other entity properties can be arbitrary.

    4. Click OK.
    5. Repeat the action in step 3 by using the created entity as the log source host.
  6. Select the Action check box.
  7. Right-click the log source, and then select Actions > Accept > Defaults.

    Actions → Accept → Defaults shortcut menu item in LogRhythm.

    Log source context menu

    The new log source now appears in the lower table in LogRhythm Console.

    LogRhythm Console window.

    New log source

Disabling log forwarding for the events received from Kaspersky CyberTrace

You may need to disable log forwarding for the events received from Kaspersky CyberTrace, to avoid the looping of events, which is forwarding the received events back to Kaspersky CyberTrace.

To disable log forwarding for the events received from Kaspersky CyberTrace:

  1. On the Log Sources tab, select the check box of the log source associated with Kaspersky CyberTrace.
  2. Right-click the log source, and then select Actions > Edit properties.

    Edit Properties shortcut menu in LogRhythm.

    Editing the properties of the Kaspersky CyberTrace log source

  3. The Log Message Source Properties window opens. In the Log Message Processing Mode drop-down list, select MPE Processing Enabled, Event Forwarding Disabled, and then click OK.

    Log Message Source Properties window in LogRhythm.

    Specifying the log message processing mode

In the MPE Processing Mode column, No Event Forwarding will be displayed for the selected log source.

MPE Processing Mode column in LogRhythm.

The MPE Processing Mode column

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.