About SIEM integration
August 3, 2023
To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of increased application log sizes, you can configure the publication of audit events and task performance events to the syslog server via the Syslog protocol.
A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and performs other log management actions.
You can use SIEM integration in two modes:
- Duplicate events on the syslog server: in this mode, all task performance events whose publication is configured in log settings, as well as all system audit events, continue to be stored on the protected device even after they are sent to the SIEM server.
We recommend that you use this mode to reduce the load on the protected device as much as possible.
- Delete local copies of events: in this mode, all events that are registered during application operation and published to the SIEM server will be deleted from the protected device.
The application never deletes local versions of the security log.
Kaspersky Industrial CyberSecurity for Nodes can convert events in application logs into formats supported by the syslog server so that those events can be transmitted and successfully recognized by the SIEM server. The application supports conversion into structured data format and into JSON format.
We recommend that you select the format of events based on the configuration of the utilized SIEM server.
You can reduce the risk that events will be relayed to the SIEM server unsuccessfully by defining the settings for connecting to a mirror syslog server.
A mirror syslog server is an additional syslog server to which the application switches automatically if the connection to the main syslog server is unavailable or if the main server cannot be used.
Kaspersky Industrial CyberSecurity for Nodes also uses system audit events to notify you about unsuccessful attempts to connect to the SIEM server and about errors while sending events to the SIEM server.