Kaspersky Security 11.x for Windows Server

About SIEM integration

May 25, 2022

ID 148502

To reduce the load on low-performance devices and to reduce the risk of system degradation as a result of increased application log sizes, you can configure the publication of audit events and task performance events to the syslog server via the Syslog protocol.

A syslog server is an external server for aggregating events (SIEM). It stores and analyzes received events and performs other log management actions.

You can use SIEM integration in two modes:

  • Duplicate events on the syslog server: in this mode, all task performance events whose publication is configured in log settings, as well as all system audit events, continue to be stored on the protected device even after they are sent to the SIEM server.

    We recommend that you use this mode to reduce the load on the protected device as much as possible.

  • Delete local copies of events: in this mode, all events that are registered during application operation and published to the SIEM server will be deleted from the protected device.

    The application never deletes local versions of the security log.

Kaspersky Security for Windows Server can convert events in application logs into formats supported by the syslog server so that those events can be transmitted and successfully recognized by the SIEM server. The application supports conversion into structured data format and into JSON format.

We recommend that you select the format of events based on the configuration of the utilized SIEM server.

Reliability settings

You can reduce the risk that events will be relayed to the SIEM server unsuccessfully by defining the settings for connecting to a mirror syslog server.

A mirror syslog server is an additional syslog server to which the application switches automatically if the connection to the main syslog server is unavailable or if the main server cannot be used.

Kaspersky Security for Windows Server also uses system audit events to notify you about unsuccessful attempts to connect to the SIEM server and about errors while sending events to the SIEM server.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.