Configuring Kaspersky Security Center Cloud Console for export of events to a SIEM system

Expand all | Collapse all

To export events to a SIEM system, you have to configure the process of export in Kaspersky Security Center Cloud Console.

To configure export to SIEM systems in the Kaspersky Security Center Cloud Console:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens with the General tab selected.

2. Go to the SIEM section, and then click the Settings link.
3. In the right pane that opens, specify the export settings.
   • In the SIEM system server address field, specify the IP address of the server on which the currently used SIEM system is installed.

     Check this value in your SIEM system settings.

   • In the SIEM system port field, specify the port number used to establish a connection between Kaspersky Security Center Cloud Console and your SIEM system server.

     You specify this value in the Kaspersky Security Center Cloud Console settings and in the receiver settings of your SIEM system.

   • In the Protocol list, the value is preselected. You can use only TLS over TCP protocol for transferring messages to the SIEM system.
   • In the Server authentication drop-down list, select one of the following items:
     • Trusted certificates, and then click the Browse for CA certificates file button that displays to upload the trusted certificate.

       You can receive a complete certificate chain (including the root certificate) from a trusted certification authority (CA) and upload the file to Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud Console checks whether the certificate chain of the SIEM system server is also signed by a trusted CA or not.

     • SHA fingerprints, and then in the Thumbprints field, enter the SHA1 thumbprint, and click the Add button.

       You can specify SHA1 thumbprints of the complete certificate chain of the SIEM system (including the root certificate) in Kaspersky Security Center Cloud Console.

   • Click the Add Subject name/Subject alternative name link.

     The link is only displayed if you selected the Trusted certificates item in the Server authentication drop-down list.

     Subject name is a domain name for which the certificate is received. Kaspersky Security Center Cloud Console cannot connect to the SIEM system server if the domain name of the SIEM system server does not match the subject name of the SIEM system server certificate. However, the SIEM system server can change its domain name if the name has changed in the certificate. In this case, you can specify subject names in the Subject name/Subject alternative name field. If any of the specified subject names matches the subject name of the SIEM system certificate, Kaspersky Security Center Cloud Console validates the SIEM system server certificate.

   • Click the Add client authentication link, and then, in the If you do not have any certificate, you can generate one drop-down list, select one of the following:
     • Generate key, and then click the Generate button if you want to generate a self-signed certificate in Kaspersky Security Center Cloud Console. As a result, Kaspersky Security Center Cloud Console stores the generated self-signed certificate, and you can pass the public part of the certificate or SHA1-fingerprint to the SIEM system.

       By using the setting, you generate a certificate to authenticate Kaspersky Security Center Cloud Console. Thus, you will use a self-signed certificate issued by Kaspersky Security Center Cloud Console. In this case, you can use both a trusted certificate and a SHA fingerprint to authenticate the SIEM system server.

     • Insert certificate if you want to use a certificate that you received from any source, for example, from any trusted CA.

       Then specify the certificate and its private key by doing the following:

       1. In the Client certification drop-down list, select the certificate type:
          • X.509 certificate PEM
          • X.509 certificate PKCS12
       2. In the File with certificate field, upload a file with a certificate.
       3. If you selected X.509 certificate PEM, in the File with key section that displays, upload a file with a private key.

          The file with a certificate and the file with a private key do not depend on each other and the order of loading the files is not significant.

       4. If the private key is encoded, specify the password for decoding in the Password or certificate verification field. Otherwise, you can leave the filed empty.
   • In the Data format section, the System log value is preselected.

     You can only specify the limit on the length of a message sent to SIEM in the Maximum message size, in bytes field. If the limit is exceeded, the message is cut off.

4. If you want, you can export archived events from the Administration Server database and set the start date from which you want to start the export of archived events:
   1. Click the Set the export start date link.
   2. In the section that opens, specify the start date in the Date to start export from field.
   3. Click the OK button.
5. Switch the option to the Automatically export events to SIEM system database Enabled position.
6. To check that the SIEM system connection is configured, click the Check connection button.

   The connection status will be displayed.

7. Click the Save button.

Export to a SIEM system is configured. From now on, if you configured the receiving of events in a SIEM system, Administration Server exports the marked events to a SIEM system. If you set the start date of export, Administration Server also exports the marked events stored in the Administration Server database from the specified date.

See also: Configuring event export to SIEM systems Configuring an event export in a SIEM system

Page top