Kaspersky
Solved

KSC 11 integration with AlienVault SIEM

  • 18 December 2019
  • 11 replies
  • 5723 views

Userlevel 2
Badge

Hello everybody,

The scenario is like below-

Kaspersky Security Center 11 need to be send logs to Syslog Server then from Syslog server logs need to be sent to AlienVault SIEM.

is the above scenario is a good practice? If the scenario is set like the above then -

what will be the method from KSC11 to Syslog Server and then Syslog Server to SIEM….is that push or something else?

 

Thanks in Advance

@Deadlock4400 

 

icon

Best answer by Kavuser10 7 January 2020, 15:34

Hello,

After KSC 11 and Syslog server connection done then will the client machine push the logs through KSC 11 automatically or there should make some work like making tasks on KSC11?

You have to enable syslog in the policy that you have pushed on clients. Open the policy in editor and under Events open the specific events that you want to send and make sure syslog is enabled. See here:

https://help.kaspersky.com/KSC/SP3/en-US/151325.htm 

View original

11 replies

Userlevel 5
Badge +4

Hi,

Please refer to the article - https://help.kaspersky.com/KSC/11/en-US/151335.htm

Thank you!

Userlevel 1
Badge

AlienVault USM and OSSIM have a Kaspersky log parsing plugin built in. After configuring KSC you need to add it as log source in AlienVault and enable Kaspersky plugin. See here:

https://cybersecurity.att.com/documentation/usm-appliance/supported-plugins/configuring-kaspersky.htm?tocpath=Documentation%7CAlienVault%C2%AE%20USM%20Appliance%E2%84%A2%7CDeployment%20Guide%7CPlugin%20Management%7CConfigure%20Log%20Forwarding%20on%20Commonly%20Used%20Data%20Sources%7C_____47

Userlevel 2
Badge

hello @Nikolay arinchev 

Thanks for your response.

Userlevel 2
Badge

hello @Kavuser10 

Thank you for your reply.

Userlevel 2
Badge

While the KSC and Alien Vault will be integrated then LOGS fro KSC to SIEM = Push or Pull method will be in action?

Userlevel 1
Badge

While the KSC and Alien Vault will be integrated then LOGS fro KSC to SIEM = Push or Pull method will be in action?


Yes. KSC will then send messages over syslog and AlienVault knows then how to process them properly. Without enabling the plugin for KSC logs will show up just as generic text logs.

Userlevel 2
Badge

Hello,

After KSC 11 and Syslog server connection done then will the client machine push the logs through KSC 11 automatically or there should make some work like making tasks on KSC11?

Userlevel 1
Badge

Hello,

After KSC 11 and Syslog server connection done then will the client machine push the logs through KSC 11 automatically or there should make some work like making tasks on KSC11?

You have to enable syslog in the policy that you have pushed on clients. Open the policy in editor and under Events open the specific events that you want to send and make sure syslog is enabled. See here:

https://help.kaspersky.com/KSC/SP3/en-US/151325.htm 

Userlevel 2
Badge

Hello @Kavuser10 

 

Thanks 

Hello @Deadlock4400,

 

Did you get to see the logs in the framework? I have configured the plugin in OSSIM and KSC, I receive the logs in /var/log/kaspersky-sc.log but I cannot see them in the web interface. I have tried all formats (CEF, Syslog, etc.).

Edit: I forgot to say I’m using KSC 11 too.

Edit 2: @Kavuser10 , can you help with this?


Thanks in advance.
Álex

The exact same problem. Export to SIEM is included in KSC, in the policies which events to export to SIEM are selected, policies are applied on the client. I get the logs in /var/log/kaspersky-sc.log, but I do not see them in the web interface. 
Can anyone help with this issue?

Reply