Kaspersky Security Center 13.1
13.1
English

Contents

Marking of events for export to SIEM systems in Syslog format

This section describes how to mark events for further export to SIEM systems in Syslog format.

In this section

About marking events for export to SIEM system in the Syslog format

Marking events of a Kaspersky application for export in Syslog format

Marking general events for export in Syslog format

See also:

Scenario: configuring event export to SIEM systems
Page top
[Topic 218223]

About marking events for export to SIEM system in the Syslog format

After enabling automatic export of events, you must select which events will be exported to the external SIEM system.

You can configure export of events in the Syslog format to an external system based on one of the following conditions:

  • Marking general events. If you mark events to export in a policy, in the settings of an event, or in the Administration Server settings, the SIEM system will receive the marked events that occurred in all applications managed by the specific policy. If exported events were selected in the policy, you will not be able to redefine them for an individual application managed by this policy.
  • Marking events for a managed application. If you mark events to export for a managed application installed on a managed device, the SIEM system will receive only the events that occurred in this application.

See also:

Scenario: configuring event export to SIEM systems
Page top
[Topic 151327]

Marking events of a Kaspersky application for export in Syslog format

If you want to export events that occurred in an individual managed application installed on a managed device, mark the events for export for the application. If previously exported events were marked in the policy, you will not be able to redefine the marked events for an individual application managed by this policy.

To mark the events for export for an individual managed application:

  1. In the Kaspersky Security Center console tree, select the Managed devices node and go to the Devices tab.
  2. Right-click to open the context menu of the relevant device and select Properties.
  3. In the device properties window that opens, select the Applications section.
  4. In the list of applications that appears, select the application whose events you need to export and click the Properties button.
  5. In the application properties window, select the Event configuration section.
  6. In the list of events that appears, select one or several events that need to be exported to the SIEM system, and click the Properties button.
  7. In the event properties window that appears, select the Export to SIEM system using Syslog check box to mark the selected events for export in Syslog format. Clear the Export to SIEM system using Syslog check box to unmark the selected events for export in Syslog format.

    If event properties are defined in a policy, the fields of this window cannot be edited.

    Event properties window

  8. Click OK to save the changes.
  9. Click OK in the application properties window and in the device properties window.

The marked events will be sent to the SIEM system over the Syslog format. The events for which you unselected the Export to SIEM system using Syslog check box, will not be exported to a SIEM system. The export will start immediately after you enable automatic export and select the events to export. Configure the SIEM system to ensure that it can receive events from Kaspersky Security Center.

See also

Scenario: configuring event export to SIEM systems
Page top
[Topic 151326]

Marking general events for export in Syslog format

If you want to export events that occurred in all applications managed by a specific policy, mark the events to export in the policy. In this case, you cannot mark events for an individual managed application.

To mark general events for export to a SIEM system:

  1. In the Kaspersky Security Center console tree, select the Policies node.
  2. Right-click to open the context menu of the relevant policy and select Properties.
  3. In the policy properties window that opens, select the Event configuration section.
  4. In the list of events that appears, select one or several events that need to be exported to the SIEM system, and click the Properties button.

    If you need to select all events, click the Select all button.

  5. In the event properties window that appears, select the Export to SIEM system using Syslog check box to mark the selected events for export in Syslog format. Unselect the Export to SIEM system using Syslog check box to unmark the selected events for export in Syslog format.

    Administration Server event properties window

  6. Click OK to save the changes.
  7. In the policy properties window, click OK.

The marked events will be sent to the SIEM system over the Syslog format. The events for which you unselected the Export to SIEM system using Syslog check box, will not be exported to a SIEM system. The export will start immediately after you enable automatic export and select the events to export. Configure the SIEM system to ensure that it can receive events from Kaspersky Security Center.

See also

Scenario: configuring event export to SIEM systems
Page top
[Topic 151325]