Kaspersky Security Center

About configuring event export in a SIEM system

April 14, 2024

ID 151335_1

Expand all | Collapse all

The process of exporting events from Kaspersky Security Center to external SIEM systems involves two parties: an event sender—Kaspersky Security Center and an event receiver—SIEM system. You must configure the export of events in your SIEM system and in the Kaspersky Security Center.

The settings that you specify in the SIEM system depend on the particular system that you are using. Generally, for all SIEM systems you must set up a receiver and, optionally, a message parser to parse received events.

Setting up the receiver

To receive events sent by Kaspersky Security Center, you must set up the receiver in your SIEM system. In general, the following settings must be specified in the SIEM system:

  • Export protocol or input type
  • Port
  • Message protocol or source type

Depending on the SIEM system that you use, you may have to specify some additional receiver settings.

The figure below shows the receiver setup screen in ArcSight.

In ArcSight, the receiver setup screen is located on the Configuration tab. The receiver settings are specified as follows: the receiver name is tcp cef, the IP/Host property is All, the Port is 616, the Encoding is UTF-8, the Source Type is CEF.

Receiver setup in ArcSight

Message parser

Exported events are passed to SIEM systems as messages. These messages must be properly parsed so that information on the events can be used by the SIEM system. Message parsers are part of the SIEM system; they are used to split the contents of the message into the relevant fields, such as event ID, severity, description, parameters and so on. This enables the SIEM system to process events received from Kaspersky Security Center so that they can be stored in the SIEM system database.

See also:

Scenario: configuring event export to SIEM systems

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.