Kaspersky Security Center 13.1
13.1
English

Contents

Marking of events for export to SIEM systems in Syslog format

This section describes how to mark events for further export to SIEM systems in Syslog format.

In this section

About marking events for export to SIEM system in the Syslog format

Marking events of a Kaspersky application for export in the Syslog format

Marking general events for export in Syslog format

See also:

Scenario: configuring event export to SIEM systems
Page top
[Topic 218223_1]

About marking events for export to SIEM system in the Syslog format

After enabling automatic export of events, you must select which events will be exported to the external SIEM system.

You can configure export of events in the Syslog format to an external system based on one of the following conditions:

  • Marking general events. If you mark events to export in a policy, in the settings of an event, or in the Administration Server settings, the SIEM system will receive the marked events that occurred in all applications managed by the specific policy. If exported events were selected in the policy, you will not be able to redefine them for an individual application managed by this policy.
  • Marking events for a managed application. If you mark events to export for a managed application installed on a managed device, the SIEM system will receive only the events that occurred in this application.

See also:

Scenario: configuring event export to SIEM systems
Page top
[Topic 151327_1]

Marking events of a Kaspersky application for export in the Syslog format

If you want to export events that occurred in a specific managed application installed on the managed devices, mark the events for export in the application policy. In this case, the marked events are exported from all of the devices included in the policy scope.

To mark events for export for a specific managed application:

  1. In the main menu, go to DEVICESPOLICIES & PROFILES.
  2. Click the policy of the application for which you want to mark events.

    The policy settings window opens.

  3. Go to the Event configuration section.
  4. Select the check boxes next to the events that you want to export to a SIEM system.
  5. Click the Mark for export to SIEM system by using Syslog button.

    You can also mark an event for export to a SIEM system in the Event registration section, which opens by clicking the link of the event.

  6. A check mark () appears in the Syslog column of the event or events that you marked for export to the SIEM system.
  7. Click the Save button.

The marked events from the managed application are ready to be exported to a SIEM system.

You can mark which events to export to a SIEM system for a specific managed device. If previously exported events were marked in an application policy, you will not be able to redefine the marked events for a managed device.

To mark events for export for a managed device:

  1. In the main menu, go to DEVICESMANAGED DEVICES.

    The list of managed devices is displayed.

  2. Click the link with the name of the required device in the list of managed devices.

    The properties window of the selected device is displayed.

  3. Go to the Applications section.
  4. Click the link with the name of the required application in the list of applications.
  5. Go to the Event configuration section.
  6. Select the check boxes next to the events that you want to export to SIEM.
  7. Click the Mark for export to SIEM system by using Syslog button.

    Also, you can mark an event for export to a SIEM system in the Event registration section, that opens by clicking the link of the event.

  8. A check mark () appears in the Syslog column of the event or events that you marked for export to the SIEM system.

From now on, Administration Server sends the marked events to the SIEM system if export to the SIEM system is configured.

See also:

About events in Kaspersky Security Center
Page top
[Topic 218295]

Marking general events for export in Syslog format

You can mark general events that Administration Server will export to SIEM systems by using the Syslog format.

To mark general events for export to a SIEM system:

  1. Do one of the following:
    • Click the settings icon () next to the name of the required Administration Server.
    • In the main menu, go to DEVICES → POLICIES & PROFILES, and then click a link of a policy.
  2. In the window that opens, go to the Event configuration tab.
  3. Click Mark for export to SIEM system by using Syslog.

    Also, you can mark an event for export to SIEM system in the Event registration section, that opens by clicking the link of the event.

  4. A check mark () appears in the Syslog column of the event or events that you marked for export to the SIEM system.

From now on, Administration Server sends the marked events to the SIEM system if export to the SIEM system is configured.

See also:

About events in Kaspersky Security Center
Page top
[Topic 215566]