Export of events to SIEM systems

This section explains how to export events registered by Kaspersky Security Center to external Security Information and Event Management (SIEM) systems.

Scenario: configuring event export to SIEM systems

Kaspersky Security Center allows configuring by one of the following methods: export to any SIEM system that use Syslog format, export to QRadar, Splunk, ArcSight SIEM systems that use LEEF and CEF formats or export of events to SIEM systems directly from the Kaspersky Security Center database. When you complete this scenario, Administration Server sends events to SIEM system automatically.

Prerequisites

Before you start configuration export of events in the Kaspersky Security Center:

• Learn more about the methods of event export.
• Make sure that you have the values of system settings.

You can perform the steps of this scenario in any order.

The process of export of events to SIEM system consists of the following steps:

• Configuring SIEM system to receive events from Kaspersky Security Center

  How-to instructions: Configuring event export in a SIEM system

• Selecting events you want to export to SIEM system:

  How-to instructions:

  • Administration Console: Marking events of a Kaspersky application for export in Syslog format, Marking general events for export in Syslog format
  • Kaspersky Security Center 13.1 Web Console: Marking events of a Kaspersky application for export in Syslog format, Marking general events for export in Syslog format
• Configuring export of events to SIEM system using one of the following methods:
  • Using TCP/IP, UDP or TLS over TCP protocols.

    How-to instructions:

    • Administration Console: Configuring export of events to SIEM systems
    • Kaspersky Security Center 13.1 Web Console: Configuring export of events to SIEM systems
  • Using export of events directly from the Kaspersky Security Center database (A set of public views is provided in the Kaspersky Security Center database; you can find the description of these public views in the klakdb.chm document.)

Results

After configuring export of events to SIEM system you can view export results if you selected events which you want to export.

Before you begin

Expand all | Collapse all

When setting up automatic export of events in the Kaspersky Security Center, you must specify some of the SIEM system settings. It is recommended that you check these settings in advance in order to prepare for setting up Kaspersky Security Center.

To successfully configure automatic sending of events to a SIEM system, you must know the following settings:

• SIEM system server address

  The IP address of the server on which the currently used SIEM system is installed. Check this value in your SIEM system settings.

• SIEM system server port

  Port number used to establish a connection between Kaspersky Security Center and your SIEM system server. You specify this value in the Kaspersky Security Center settings and in the receiver settings of your SIEM system.

• Protocol

  Protocol used for transferring messages from Kaspersky Security Center to your SIEM system. You specify this value in the Kaspersky Security Center settings and in the receiver settings of your SIEM system.

About events in Kaspersky Security Center

Kaspersky Security Center allows you to receive information about events that occur during the operation of Administration Server and Kaspersky applications installed on managed devices. Information about events is saved in the Administration Server database. You can export this information to external SIEM systems. Exporting event information to external SIEM systems enables administrators of SIEM systems to promptly respond to security system events that occur on managed devices or administration groups.

Event types

In Kaspersky Security Center, there are the following types of events:

• General events. These events occur in all managed Kaspersky applications. An example of a general event is Virus outbreak. General events have strictly defined syntax and semantics. General events are used, for instance, in reports and dashboards.
• Managed Kaspersky applications-specific events. Each managed Kaspersky application has its own set of events.

Event sources

Events can be generated by the following applications:

• Kaspersky Security Center components:
  • Administration Server
  • Network Agent
  • iOS MDM Server
  • Exchange Mobile Device Server
• Managed Kaspersky applications

  For details about the events generated by Kaspersky managed applications, refer to the documentation of the corresponding application.

You can view the full list of events that can be generated by an application on the Event configuration tab in the application policy. For Administration Server, you can additionally view the event list in the Administration Server properties.

Importance level of events

Each event has its own importance level. Depending on the conditions of its occurrence, an event can be assigned various importance levels. There are four importance levels of events:

• A critical event is an event that indicates the occurrence of a critical problem that may lead to data loss, an operational malfunction, or a critical error.
• A functional failure is an event that indicates the occurrence of a serious problem, error or malfunction that occurred during operation of the application or while performing a procedure.
• A warning is an event that is not necessarily serious, but nevertheless indicates a potential problem in the future. Most events are designated as warnings if the application can be restored without loss of data or functional capabilities after such events occur.
• An info event is an event that occurs for the purpose of informing about successful completion of an operation, proper functioning of the application, or completion of a procedure.

Each event has a defined storage term, during which you can view or modify it in Kaspersky Security Center. Some events are not saved in the Administration Server database by default because their defined storage term is zero. Only events that will be stored in the Administration Server database for at least one day can be exported to external systems.

About event export

You can use event export within centralized systems that deal with security issues on an organizational and technical level, provide security monitoring services, and consolidate information from different solutions. These are SIEM systems, which provide real-time analysis of security alerts and events generated by network hardware and applications, or Security Operation Centers (SOCs).

These systems receive data from many sources, including networks, security, servers, databases, and applications. SIEM systems also provide functionality to consolidate monitored data in order to help you avoid missing critical events. In addition, the systems perform automated analysis of correlated events and alerts in order to notify the administrators of immediate security issues. Alerting can be implemented through a dashboard or can be sent through third-party channels such as email.

The process of exporting events from Kaspersky Security Center to external SIEM systems involves two parties: an event sender, Kaspersky Security Center, and an event receiver, a SIEM system. To successfully export events, you must configure this in your SIEM system and in the Kaspersky Security Center Administration Console. It does not matter which side you configure first. You can configure the transmission of events in the Kaspersky Security Center and then configure the receipt of events by the SIEM system, or vice versa.

Methods for sending events from Kaspersky Security Center

There are three methods for sending events from Kaspersky Security Center to external systems:

• Sending events over the Syslog protocol to any SIEM system

  Using the Syslog protocol, you can relay any events that occur on the Kaspersky Security Center Administration Server and in Kaspersky applications that are installed on managed devices. When exporting events over the Syslog protocol, you can select exactly which types of events will be relayed to the SIEM system. The Syslog protocol is a standard message-logging protocol. For this reason, you can use the Syslog protocol to export events to any SIEM system.

• Sending events over the CEF and LEEF protocols to QRadar, Splunk, and ArcSight systems

  You can use the CEF and LEEF protocols to export general events. When exporting events over the CEF and LEEF protocols, you do not have the capability to select specific events to export. Instead, all general events are exported. Unlike the Syslog protocol, the CEF and LEEF protocols are not universal. CEF and LEEF are intended for the appropriate SIEM systems (QRadar, Splunk, and ArcSight). Therefore, when you choose to export events over one of these protocols, you use the required parser in the SIEM system.

  To export events over the CEF and LEEF protocols, the Integration with the SIEM systems feature must be activated in Administration Server by using an active license key or valid activation code.

• Directly from the Kaspersky Security Center database to any SIEM system

  This method of exporting events can be used to receive events directly from public views of the database by means of SQL queries. The results of a query are saved to an XML file that can be used as input data for an external system. Only events available in public views can be exported directly from the database.

Receipt of events by the SIEM system

The SIEM system must receive and correctly parse events received from Kaspersky Security Center. For these purposes, you must properly configure the SIEM system. The configuration depends on the specific SIEM system utilized. However, there are a number of general steps in the configuration of all SIEM systems, such as configuring the receiver and the parser.

About configuring event export in a SIEM system

Expand all | Collapse all

The process of exporting events from Kaspersky Security Center to external SIEM systems involves two parties: an event sender—Kaspersky Security Center and an event receiver—SIEM system. You must configure the export of events in your SIEM system and in the Kaspersky Security Center.

The settings that you specify in the SIEM system depend on the particular system that you are using. Generally, for all SIEM systems you must set up a receiver and, optionally, a message parser to parse received events.

Setting up the receiver

To receive events sent by Kaspersky Security Center, you must set up the receiver in your SIEM system. In general, the following settings must be specified in the SIEM system:

• Export protocol or input type

  It is the message transfer protocol, either TCP/IP or UDP. This protocol must be the same as the protocol you specified in Kaspersky Security Center.

• Port

  Port number to connect to Kaspersky Security Center. This port must be the same as the port you specified in Kaspersky Security Center.

• Message protocol or source type

  The protocol used to export events to the SIEM system. It can be one of the standard protocols: Syslog, CEF, or LEEF. The SIEM system selects the message parser according to the protocol you specify.

Depending on the SIEM system that you use, you may have to specify some additional receiver settings.

The figure below shows the receiver setup screen in ArcSight.

Receiver setup in ArcSight

Message parser

Exported events are passed to SIEM systems as messages. These messages must be properly parsed so that information on the events can be used by the SIEM system. Message parsers are part of the SIEM system; they are used to split the contents of the message into the relevant fields, such as event ID, severity, description, parameters and so on. This enables the SIEM system to process events received from Kaspersky Security Center so that they can be stored in the SIEM system database.

Each SIEM system has a set of standard message parsers. Kaspersky also provides message parsers for some SIEM systems, for example, for QRadar and ArcSight. You can download these message parsers from the websites of the corresponding SIEM systems. When configuring the receiver, you can select to use one of the standard message parsers or a message parser from Kaspersky.

Marking of events for export to SIEM systems in Syslog format

This section describes how to mark events for further export to SIEM systems in Syslog format.

About marking events for export to SIEM system in the Syslog format

After enabling automatic export of events, you must select which events will be exported to the external SIEM system.

You can configure export of events in the Syslog format to an external system based on one of the following conditions:

• Marking general events. If you mark events to export in a policy, in the settings of an event, or in the Administration Server settings, the SIEM system will receive the marked events that occurred in all applications managed by the specific policy. If exported events were selected in the policy, you will not be able to redefine them for an individual application managed by this policy.
• Marking events for a managed application. If you mark events to export for a managed application installed on a managed device, the SIEM system will receive only the events that occurred in this application.

Marking events of a Kaspersky application for export in Syslog format

If you want to export events that occurred in an individual managed application installed on a managed device, mark the events for export for the application. If previously exported events were marked in the policy, you will not be able to redefine the marked events for an individual application managed by this policy.

To mark the events for export for an individual managed application:

1. In the Kaspersky Security Center console tree, select the Managed devices node and go to the Devices tab.
2. Right-click to open the context menu of the relevant device and select Properties.
3. In the device properties window that opens, select the Applications section.
4. In the list of applications that appears, select the application whose events you need to export and click the Properties button.
5. In the application properties window, select the Event configuration section.
6. In the list of events that appears, select one or several events that need to be exported to the SIEM system, and click the Properties button.
7. In the event properties window that appears, select the Export to SIEM system using Syslog check box to mark the selected events for export in Syslog format. Clear the Export to SIEM system using Syslog check box to unmark the selected events for export in Syslog format.

   If event properties are defined in a policy, the fields of this window cannot be edited.

   

   Event properties window

8. Click OK to save the changes.
9. Click OK in the application properties window and in the device properties window.

The marked events will be sent to the SIEM system over the Syslog format. The events for which you unselected the Export to SIEM system using Syslog check box, will not be exported to a SIEM system. The export will start immediately after you enable automatic export and select the events to export. Configure the SIEM system to ensure that it can receive events from Kaspersky Security Center.

Marking general events for export in Syslog format

If you want to export events that occurred in all applications managed by a specific policy, mark the events to export in the policy. In this case, you cannot mark events for an individual managed application.

To mark general events for export to a SIEM system:

1. In the Kaspersky Security Center console tree, select the Policies node.
2. Right-click to open the context menu of the relevant policy and select Properties.
3. In the policy properties window that opens, select the Event configuration section.
4. In the list of events that appears, select one or several events that need to be exported to the SIEM system, and click the Properties button.

   If you need to select all events, click the Select all button.

5. In the event properties window that appears, select the Export to SIEM system using Syslog check box to mark the selected events for export in Syslog format. Unselect the Export to SIEM system using Syslog check box to unmark the selected events for export in Syslog format.

   

   Administration Server event properties window

6. Click OK to save the changes.
7. In the policy properties window, click OK.

The marked events will be sent to the SIEM system over the Syslog format. The events for which you unselected the Export to SIEM system using Syslog check box, will not be exported to a SIEM system. The export will start immediately after you enable automatic export and select the events to export. Configure the SIEM system to ensure that it can receive events from Kaspersky Security Center.

About exporting events using Syslog format

You can use the Syslog format to export to SIEM systems the events that occur in Administration Server and other Kaspersky applications installed on managed devices.

Syslog is a standard for message logging protocol. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type that generates the message, and is assigned a severity level.

The Syslog format is defined by Request for Comments (RFC) documents published by the Internet Engineering Task Force (internet standards). The RFC 5424 standard is used to export the events from Kaspersky Security Center to external systems.

In Kaspersky Security Center, you can configure export of the events to the external systems using the Syslog format.

The export process consists of two steps:

1. Enabling automatic event export. At this step, Kaspersky Security Center is configured so that it sends events to the SIEM system. Kaspersky Security Center starts sending events immediately after you enable automatic export.
2. Selecting the events to be exported to the external system. At this step, you select which event to export to the SIEM system.

About exporting events using CEF and LEEF formats

You can use the CEF and LEEF formats to export to SIEM systems general events, as well as the events transferred by Kaspersky applications to the Administration Server. The set of export events is predefined, and you cannot select the events to be exported.

To export events over the CEF and LEEF protocols, the Integration with the SIEM systems feature must be activated in Administration Server by using an active license key or valid activation code.

Select the format of export on the basis of the SIEM system used. The table below shows SIEM systems and the corresponding formats of export.

Formats of event export to a SIEM system

• LEEF (Log Event Extended Format)—A customized event format for IBM Security QRadar SIEM. QRadar can integrate, identify, and process LEEF events. LEEF events must use UTF-8 character encoding. You can find detailed information on LEEF protocol in IBM Knowledge Center.
• CEF (Common Event Format)—An open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF enables you to use a common event log format so that data can easily be integrated and aggregated for analysis by an enterprise management system.

Automatic export means that Kaspersky Security Center sends general events to the SIEM system. Automatic export of events starts immediately after you enable it. This section explains in detail how to enable automatic event export.

Configuring Kaspersky Security Center for export of events to a SIEM system

Expand all | Collapse all

You can enable automatic event export in Kaspersky Security Center.

Only general events can be exported from managed applications over the CEF and LEEF formats.  Application-specific events cannot be exported from managed applications over the CEF and LEEF formats. If you need to export events of managed applications or a custom set of events that has been configured using the policies of managed applications, you have to export the events in the Syslog format.

To enable automatic export of events:

1. In the Kaspersky Security Center console tree, select the Administration Server whose events you want to export.
2. In the workspace of the selected Administration Server, select the Events tab.
3. Click the drop-down arrow next to the Configure notifications and event export link and select Configure export to SIEM system in the drop-down list.

   The events properties window opens, displaying the Event export section.

4. In the Event export section, specify the following export settings:

   

   Event export section of the event properties window

   • Automatically export events to SIEM system database

     Select this check box to enable automatic export of events to SIEM systems. Selecting this check box enables all fields in the Exporting events section.

   • SIEM system

     Select the SIEM system to export the events: QRadar (LEEF format), ArcSight (CEF format), Splunk (CEF format), and Syslog format (RFC 5424).

   • SIEM system server address

     Specify the SIEM system server address. The address can be specified as a DNS or NetBIOS‑name or as an IP-address.

   • SIEM system server port

     Specify the port number to connect to the SIEM system server. This port number must be the same as that, which your SIEM system uses to receive the events (see section Configuring a SIEM system for details).

   • Protocol

     Select the protocol to be used for transferring messages to the SIEM system. You can select either the TCP/IP, UDP, or TLS over TCP protocol.

     Specify the following TLS settings if you select the TLS over TCP protocol:

     • SIEM server authentication

       Choose one of the following ways to authenticate the SIEM system server:

       • By using CA certificates. You can receive a file with a list of certificates from a trusted certification authority (CA) and upload the file to Kaspersky Security Center. Kaspersky Security Center checks whether the SIEM system server certificate is also signed by a trusted CA or not.

         To add a trusted certificate, click the Browse button, and then upload the certificate.

         If you select the By using CA certificates option, you can specify subject names in the Subjects of server certificates (optional) field. Subject name is a domain name for which the certificate is received. Kaspersky Security Center cannot connect to the SIEM system server if the domain name of the SIEM system server does not match the subject name of the SIEM system server certificate. However, the SIEM system server can change its domain name if you change the subject name in the certificate. To do this, specify the subject names in the Subjects of server certificates (optional) field. If any of the specified subject names matches the subject name of the SIEM system certificate, Kaspersky Security Center validates the SIEM system server certificate.

       • By using SHA-1 thumbprints of server certificates. You can specify SHA-1 thumbprints of the SIEM system certificates in Kaspersky Security Center. To add a SHA-1 thumbprint, enter it in the field under the option.
     • Client authentication

       For client authentication, you can insert your certificate or generate it in Kaspersky Security Center.

       • Insert certificate. You can use a certificate that you received from any source, for example, from any trusted CA. To insert an existing certificate, click the Browse for certificate button. In the opened Certificate window, choose one of the following certificate types, and then specify the certificate and its private key:
         • X.509 certificate. Upload a file with a private key in the Private key (*.prk, *.pem) field, and a file with a certificate in the Certificate (*.cer) field. To do this, click the Browse button to the right of the corresponding field, and then add the required file. Both files do not depend on each other and the order of loading the files is not significant. After you upload both files, specify the password for decoding the private key in the Password field. The password can have an empty value if the private key is not encoded.
         • PKCS #12 container. Upload a single file that contains a certificate and its private key in the Certificate file field. To do this, click the Browse button to the right of the field, and then add the required file. After you upload the file, specify the password for decoding the private key in the Password field. The password can have an empty value if the private key is not encoded.
       • Generate key. You can generate a self-signed certificate in Kaspersky Security Center. Click the Generate certificate button, and then enter a subject name in the Subject field. The client certificate is generated for this subject name and the SHA-1 thumbprint of this certificate is displayed in the SHA-1 thumbprint of client certificate field. As a result, Kaspersky Security Center stores the generated self-signed certificate, and you can pass the public part of the certificate or SHA-1 thumbprint to the SIEM system.

   If you select Syslog format, you must specify:

   • Maximum message size, in bytes

     Specify the maximum size (in bytes) of one message relayed to the SIEM system. Each event is relayed in one message. If the actual length of a message exceeds the specified value, the message is truncated and data may be lost. The default size is 2048 bytes. This field is available only if you selected the Syslog format in the SIEM system field.

5. If you want to export to the SIEM system database the events that occurred after a specified date in the past, click the Export archive button and specify the start date for event export. By default, the event export starts immediately after you enable it.
6. Click OK.

Automatic export of events is enabled.

After enabling automatic export of events, you must select which events will be exported to the SIEM system.

Exporting events directly from the database

You can retrieve events directly from the Kaspersky Security Center database without having to use the Kaspersky Security Center interface. You can either query the public views directly and retrieve the event data or create your own views on the basis of existing public views and address them to get the data you need.

Public views

For your convenience, a set of public views is provided in the Kaspersky Security Center database. You can find the description of these public views in the klakdb.chm document.

The v_akpub_ev_event public view contains a set of fields that represent the event parameters in the database. In the klakdb.chm document you can also find information on public views corresponding to other Kaspersky Security Center entities, for example, devices, applications, or users. You can use this information in your queries.

This section contains instructions for creating an SQL query by means of the klsql2 utility and a query example.

To create SQL queries or database views, you can also use any other program for working with databases. Information on how to view the parameters for connecting to the Kaspersky Security Center database, such as instance name and database name, is given in the corresponding section.

Creating an SQL query using the klsql2 utility

This section describes how to download and use the klsql2 utility, and how to create an SQL query by using this utility. When you create an SQL query by means of the klsql2 utility, you do not have to provide database name and access parameters, because the query addresses Kaspersky Security Center public views directly.

To download and use the klsql2 utility:

1. Download the klsql2 utility from Kaspersky website.
2. Copy and extract the downloaded klsql2.zip file to any folder on the device with Kaspersky Security Center Administration Server installed.

   The klsql2.zip package includes the following files:

   • klsql2.exe
   • src.sql
   • start.cmd
3. Open the src.sql file in any text editor.
4. In the src.sql file, type the SQL query that you want, and then save the file.
5. On the device with Kaspersky Security Center Administration Server installed, in the command line, type the following command to run the SQL query from the src.sql file and save the results to the result.xml file:

   klsql2 -i src.sql -o result.xml

6. Open the newly created result.xml file to view the query results.

You can edit the src.sql file and create any query to the public views. Then, from the command line, execute your query and save the results to a file.

Example of an SQL query in the klsql2 utility

This section shows an example of an SQL query, created by means of the klsql2 utility.

The following example illustrates retrieval of the events that occurred on devices during the last seven days, and display of the events ordered by the time they occur, the most recent events are displayed first.

Viewing the Kaspersky Security Center database name

Expand all | Collapse all

It can be helpful to know a database name if you need, for example, send an SQL query and connect to the database from your SQL script editor.

To view the name of the Kaspersky Security Center database:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder and select Properties.
2. In the Administration Server properties window, in the Sections pane select Advanced and then Details of current database.
3. In the Details of current database section, note the following database properties (see figure below):
   • Instance name

     Name of the current Kaspersky Security Center database instance. The default value is .\KAV_CS_ADMIN_KIT.

   • Database name

     Name of the Kaspersky Security Center SQL database. The default value is KAV.

   

   Section with information about the current Administration Server database

4. Click the OK button to close the Administration Server properties window.

Use the database name to address the database in your SQL queries.

Viewing export results

You can control for successful completion of the event export procedure. To do this, check whether messages with export events are received by your SIEM system.

If the events sent from Kaspersky Security Center are received and properly parsed by your SIEM system, configuration on both sides is done properly. Otherwise, check the settings you specified in Kaspersky Security Center against the configuration in your SIEM system.

The figure below shows the events exported to ArcSight. For example, the first event is a critical Administration Server event: "Device status is Critical".

The representation of export events in the SIEM system varies according to the SIEM system you use.

Example of events