Kaspersky Next XDR Expert
1.1.9

Contents

Configuring receipt of Nextcloud events

You can configure the receipt of Nextcloud 26.0.4 events in KUMA.

Configuring event receiving consists of the following steps:

  1. Configuring audit of Nextcloud events.
  2. Configuring a Syslog server to send events.

    The rsyslog service is used to transmit events from the server to the collector.

  3. Creating a KUMA collector for receiving Nextcloud events.

    To receive Nextcloud events, in the Collector Installation Wizard, at the Event parsing step, select the [OOTB] Nextcloud syslog normalizer, and at the Transport step select the tcp or udp connector type.

  4. Installing KUMA collector for receiving Nextcloud events
  5. Verifying receipt of Nextcloud events in the KUMA collector

    You can verify that the Nextcloud event source server is correctly configured in the Searching for related events section of the KUMA Console.

Page top
[Topic 265587]

Configuring audit of Nextcloud events

To configure the export of Nextcloud events to KUMA:

  1. On the server where Nextcloud is installed, create a backup copy of the /home/localuser/www/nextcloud/config/config.php configuration file.
  2. Edit the /home/localuser/www/nextcloud/config/config.php Nextcloud configuration file.
  3. Edit the settings as follows:

    'log_type' => 'syslog',

    'syslog_tag' => 'Nextcloud',

    'logfile' => '',

    'loglevel' => 0,

    'log.condition' => [

    'apps' => ['admin_audit'],

    ],

  4. Restart the Nextcloud service:

    sudo service restart nextcloud

Export of events to the KUMA collector is configured.

Page top
[Topic 265586]

Configuring a Syslog server to send Nextcloud events

To configure the sending of events from the server where Nextcloud is installed to the collector:

  1. In the /etc/rsyslog.d/ directory, create a Nextcloud-to-siem.conf file with the following content:

    If $programname contains 'Nextcloud' then @<IP address of the collector>:<port of the collector>

    Example:

    If $programname contains 'Nextcloud' then @192.168.1.5:1514

    If you want to send events via TCP, the contents of the file must be as follows:

    If $programname contains 'Nextcloud' then @<IP address of the collector>:<port of the collector>

  2. Save changes to the Nextcloud-to-siem.conf configuration file.
  3. Create a backup copy of the /etc/rsyslog.conf file.
  4. Add the following lines to the /etc/rsyslog.conf configuration file:

    $IncludeConfig /etc/Nextcloud-to-siem.conf

    $RepeatedMsgReduction off

  5. Save your changes.
  6. Restart the rsyslog service by executing the following command:

    sudo systemctl restart rsyslog.service

The export of Nextcloud events to the collector is configured.

Page top
[Topic 265585]